What are some good security questions?

Question

We all know that security questions suck, but still they're often used as the authentication of last resort to reset forgotten passwords. What are some secure and unsecure ones you've used or seen?

Use community owned answers for voting. Up-vote secure questions. Down-vote unsecure questions. Explain in comments.

Answer 1

What was the name of your high school?

Answer 2

What was the name of your first school?

Answer 3

What is your all-time favorite past-time?

Answer 4

What is your father's middle name?

Answer 5

What was your high school mascot?

Answer 6

Where did you first meet your spouse?

Answer 7

What was the name of your favorite food as a child?

Answer 8

What was the first sport you ever played as a child?

Answer 9

What is your favorite sexual position? =P

...lets see an ID thief steal that tidbit from the public records.

Answer 10

In what town did you spend most of your youth?

Answer 11

No such thing as a good pre-chosen question. The user should be allowed to chose their own security question, so they can pick one that is difficult to guess. At the very least, if you must offer a dropdown, put in "Enter my own..." as an option.

Answer 12

What is your all-time favorite sports team?

Answer 13

What year did you graduate high school?

Answer 14

Do you need help here, or are you okay on your own? :)

Answer 15

What was your favorite childhood pet's name?

Answer 16

What was your best friend's name when you were a child?

Answer 17

Unless its something, that you truly have a hard time answering, its probably not good enough if its prechosen.

Security questions are outdated, use email. If its an email system, use really really obscure information that almost no-one would know. If its not an email system, there is no excuse for you to rely on such outdated technology.

Answer 18

"What is a good security question?"

That seems like it would be very difficult to predict.

Answer 19

For the sake of rediculousness in these questions, my favorite would be.

How about number of Bands in your finger print?
Waste size in milimeters?
Percapita number of freckles on your arm?

Answer 20

What is your quest?

Answer 21

Agreeing with John here. Just about any such question either will be easily found out (What is the name of your dog was the sequrity question for one of Paris Hiltons accounts if the rumours are true), easily socially engineered ("Hi, you have won a free milkshake in our random sweepstakes, what flavour would you like?") or the number of answers is too small for it to give any type of security (How many sexual positions do you know the name to? No, don't really answer this...)

My bank uses a series of questions regarding my account to add security, like "Do you have an extra card connected to the account?" "Do you have a fund-account as well?"... Using 3 or 4 such questions. That solution is slightly more secure, but still could be guessed so that 10 calls or so would give a random, answer that cracked it (Most people do not have extra cards, probably most don't have stock...)

I would evaluate questions asking myself:

1. How many likely answers are there? (Note Likely, not all possible. Few people like ketchup milkshakes)
2. Is the answer available through public records? Likely to be part of a blog?
3. Will someone's friends or relatives know the answer?
4. If asked in a devious way, will people answer? (Social engineering)

Using those criteria on common "security" questions, I come to the conclusion that they suck.

Answer 22

What was your first word?

(Assuming it wasn't 'mum')

Answer 23

The trend is usually to ask questions that bring up semi-pleasant childhood memories or neutral factual questions.

But what gets burned on people's brains are negative memories, so I think questions like these would be effective:

• The name of the person you were passed over for a promotion in favor of.
• The name of the person you should have kissed
• What's the largest amount of money you have lent that was never paid back?
• How much was the most expensive car repair you've ever had to pay for?
• Which of your siblings was your parents' favorite?
• The teacher who gave you your first failing grade / worst subject in school
• Your worst boss

Of course, the side effect is your users will hate you for bringing these unpleasant memories to mind, but I'm pretty sure they'll remember them.

Answer 24

I guess if you're going to ask a specific question, it's better to have it rely on something in the user's office/home/whatever. For example, you could say

"Enter a line of text from a piece of paper on your desk."

It's much less likely that someone is going to guess that passphrase. Of course, if they do break into your office and see a memo on the wall with a star next to a particular line, they might make that connection ... and if you're not in your office, you're not likely to remember it yourself.

Answer 25

Usually I select any question and answer with a keyword (like a second password...)

Answer 26

I'd suggest anything that is not publicly available information -- just ask Sarah Palin.

Answer 27

What is the ratio of the weight of your left leg to the length of your middle finger.

This question is easily answered by the leg and finger owner, but would prove difficult for others to determine.

Answer 28

Good presentation about MMN questions..

http://se.youtube.com/watch?v=pypFzJmgPhg

Answer 29

Good security questions are a misnomer. They actually create a vulnerability into a system. We should call them in-secure questions. However, recognizing the risk and value they provide, "good" security questions should have 4 characteristics: 1. cannot be easily guessed or researched (safe), 2. doesn't change over time (stable), 3. is memorable, 4. is definitive or simple. You can read more about this at http://www.goodsecurityquestions.com.

Here's a list of good, fair, and poor security questions.