Yu Blog

Latest Thinking

Do You Have a Good Security Question?
Jun 2009

Do You Have a Good Security Question?

Let’s quickly review why, and under what conditions, these questions are used. Secret questions (security questions) are most often used when a user has forgotten his account password. This device ensures that the person renewing the password is in fact the person he says he is. Of course no system is infallible, but this one considerably reduces the risks.

Here’s the general idea: whenever you create a new account – especially with services where you have to provide sensitive personal information (the bank, email, etc…) – you will be asked to choose one or several security questions to which only you will know the answer. These questions must be as secure as a password without being “encrypted”. Therein lies the rub!

Fig. 1 – Example of a security question used by Paypal

At any point in the future, any user wishing to update his password will be required to provide the correct response to the security questions he selected. And of course, to “simplify” things, the different services to which he subscribes won’t necessarily offer the same set of questions!

1- Which questions just don’t work?

There are two main problems with security questions: Either the question is too easy, and someone from the user’s entourage can find the answer and play a dirty trick… or the question is too general and it’s hard to remember the answer.

The question should therefore provide enough hints for the user to remember, yet still be general enough. Finding a happy medium is the greatest challenge in developing these questions.

Example of non-secure specific questions:

  • In what city were you born?
  • What is your favourite movie?
  • What brand was your first vehicle?
  • What’s your favourite colour?

The answer to these questions can be found with a minimum of research. For example, it’s easy to find a list of the top 100 movies of all time, and there are only about one hundred names for colours (even including things like cream…).

Example of broad questions that are hard to recall:

  • What’s your favourite video game?
  • Who is your favourite historical character?
  • Who is your favourite actor, musician or artist?

Why is it that, in the case of the latter questions, recall is difficult despite the questions being very specific? Let’s reflect for a moment on how memory works; particularly the phenomena of remembering and forgetting.

Benton J. Underwood (1957) and others have demonstrated the existence of a phenomenon that can cause interference with memory and lead to forgetting. In our daily lives, two sources of interference combine to cause us to forget names, dates, forms, etc…

On the one hand, the theory of Retroactive Interference suggests that what we forget of what we’re now retaining increases as a function of similarity to future learning. On the other hand, Proactive Interference suggests that the first memory interferes with the second. For example, words previously remembered may be included in the recall of new information.

But all is not lost ; ) Tulving and Psotka (1971) have demonstrated that interference is eliminated if recovery hints are provided. This is good news for our ability to remember. There are also several types of hints: associative (tools – hammer), phonetic (rhyme), or even visual. However, using hints is still a weak recall method when compared to recognition.

Example of recall versus recognition in a list of 6 words:

  • What six words did you learn yesterday?
  • In this list of 30 words, what six words did you learn yesterday?

Many experiments have demonstrated that the second case generated much better results (Bahrick et Wittlinger, 1975). In our case of the security question asking “what’s your favourite video game?“, the answer can evolve over time. When the time comes for the user to change his password, his favourite video game is likely to have changed; he’s probably played many more games and amassed a great deal of information on the subject. Ten years later, the same person will almost certainly have forgotten the game.
In this case, forgetting is very hard to undo. The game was neither a sustainable event, nor a significant moment, and any change in context alters the user’s perception of the hints, which affect his ability to recall.

2- How do I create a good question?

It is therefore crucial that any hints refer to something significant and, if possible, to something that won’t change over time. An important moment in the person’s life would be a good example. The question should apply to the great majority, relate to a significant experience and be hard to predict.

Naturally, by proposing a number of questions, the user can choose the one that is best suited to the situation and the least ambiguous. You should also realize that it’s not easy to create a good list of questions. Finally, we think that letting the user create his own question (like google mail does) is a risky proposition.

Example of questions we would recommend:

  • What is your first love’s first name?
  • What is your favourite grade school teacher’s family name?
  • What is your maternal great-grandmother’s first name?
  • What is the name of the city where your parents met?
  • When you were a child, what did you want to be when you grew up?

It is also worth noting that experiments on recovery of information stored in long-term memory have shown that images are more effective than words. What other tools could we use to help the user recall a specific context (a photo of the environment in which the response was provided, a short clip of the music that was playing, etc…), in order to improve recall abilities and allow for “weaker” questions?

Have you ever had to create security questions? What are your thoughts on the subject?

Updated :

Here’s an interesting fact that confirms the importance of a good security question and the awareness that users must have of the subject. Today, the media announced that Sarah Palin’s Yahoo email address was hacked. It would seem that the hacker found the response to the security question and got into the Republic candidate’s email inbox.

For more information, see this TIME ARTICLE.

Tags are not defined.

0 Comment(s)

Leave a Reply