It seems that people are always struggling with creating ‘good’ security questions. Someone recently sent me an interesting list of security question guidelines that contains both Good and Bad example questions. The problem with a good security question is that it needs to be something that you will easily remember but that no one (or almost no one) knows the answer to other than yourself. Should it be something very specific like your Mother’s Maiden name or your Social Security number? What about your first date or the first time you did something else memorable? There certainly are some guidelines but it depends partly on the situation, who sets the questions up (yourself or say your bank based on information they have on you) your culture etc.
How can culture play a role in this exactly? I was working recently with a client from India on implementing a Password Management system. I watched as he enrolled himself using some of the default questions provided. One default question was “What is your favorite sports team”. Granted this is probably not the best question for many, especially those rabid fans that have their favorite sports team plastered on the walls of their workspace but it was even less appropriate in this particular case. Considering Cricket is an enormous sport in India and the Indian national team had just recently defeated Pakistan, he put down ‘India’ as his favorite sports team. Clearly this question would not be much of a challenge to guess.
On the other side of the spectrum the question can be so complicated, generic or just ‘wacky’ that it can’t be remembered. A friend of mine once used “How much wood, would a woodchuck chuck …” etc for his security question. In this case, 6 months later he was locked out and he couldn’t remember what he used for an answer at the time. It took a call to the company and having a representative on the phone for an extended period of time before he finally remember that the answer he put down was “Who cares” (Well I paraphrased, as the actual answer is not printable, but you get the idea).
Though institutions use your personal information such as your Mother’s Maiden name and your Social Security Number as it is ‘relatively’ secure (and they have it on hand already), try to stay away from information that can be Googled or obtained from a poorly filed check stub that you tossed into your drawer one day. In the end you need to create a question and answer pair that is both memorable and definitive so you are less likely to forget but personal enough that even someone who knows you well can’t easily guess it.