A security question is a question used to verify a person's identity on a password-protected network or Web site. Users typically choose one out of a number of biographical questions to answer when they create online accounts. Then, if a user forgets the password, he or she will be prompted to answer this security question. If the question is answered correctly, the system will send information on how to reset the password. Security questions may also be used as a secondary form of identity verification after the password is entered, for instance if the user is logging in from an unknown location.
Security questions have gained favor since the early 2000s as a result of what is sometimes called "password chaos." Someone who uses the Internet for work, school, banking, personal communications, etc., may have dozens of different usernames and passwords that he or she may easily confuse. Before the advent of security questions, the user might have to call customer service to have the password reset manually. Sites that allow users to reset their passwords by means of a security question saves money for companies and time for the users.
Although security questions are a convenient way of resetting a password, they are generally considered far less secure than the password itself. A common security question, for instance, is "What is your mother's maiden name?" This information, while it might not be widely known, can often be found via a little bit of Internet sleuthing, thus compromising the user's account. Other information that is sometimes used in security questions might include the names of pets, favorite vacation spots, or school information, much of which is routinely posted on social networking sites.
Due to these security risks, both users and network developers must be careful about the security questions they choose as well as how they answer them. A good security question should have many possible answers that a hacker would not likely be able to guess. Users should be careful not to post information related to the security question anywhere on the Internet.
Developers should also phrase questions in such a way that there is only one possible way to write the answer. For example, the answer to the question, "What is your mother's date of birth?"could be written "1 July 1948," "July 1, 1948," "7/1/1948," or any number of other ways. A user who forgot his or her password is not likely to remember in which way he or she wrote the answer, making this is a poorly written security question. A better question would be, "What is the month and year of your mother's birth (e.g. July 1948)?"