Personal Secret Question recommendations
This page provides information for creating personal questions (aka secret questions) that are secure when creating a password reset process. Personal questions and their answers should always be stored and transmitted in encrypted form.
Weak Personal Questions
To determine strong personal questions, it is wise to consider some types of personal questions that are weak. Personal questions or secret questions that are weak will have one or more of the following characteristics:
They can be found by doing some reasearch about you. Consider whether the information could be obtained about celebrities including where they are born, their mother's maiden name, etc.
There are common responses that may fit the answer. Some of these type of questions include make of first car, favorite movie, etc.
There are not very many responses to the question. Some of these questions may include favorite color, shoe size, etc.
Examples of weak personal secret questions include:
Mother's Maiden Name - Can be researched on celebrities and too common.
Father's middle name - Can be researched on celebrities.
High school - Can be researched on celebrities.
Your anniversary date - Can be researched on celebrities.
Name of your first pet - Can be researched on celebrities and many pet names are common.
Your primary area of expertise - Can be researched on celebrities and may be common knowledge.
City of your birth - can be researched on celebrities and many large city names may get a hit for many people.
Favorite movie answers are too common.
Street names are too common.
Car makes are too common as are most models.
There are not enough common colors to get a large range of answers with colors.
Side of your bedroom that your clothes closet is on - not enough possibilities.
Stronger Personal Questions
These questions are stronger but their strength will still vary from person to person. Questions that should be used will vary from site to site depending on the nature of the site and the security needs.
First and last name of your first boyfriend or girlfriend
First and last Name of a school friend.
First and last Name of a current friend.
First and last name of your hairdresser or barber.
First and last name of your supervisor (unless it is common knowledge by anyone who would break into the account).
Your supervisor's phone number.
First and last name of your favorite co-worker or current classmate.
Name of your first grade teacher (or any other grade).
Phone number you remember most from your childhood.
Favorite place to visit as a child.
Name of favorite park you like to visit and nearest city.
Name of your favorite actor, musician, or artist.
Name of your most annoying actor, musician, or artist.
Name of your favorite song.
Name of your dentist
Name of your doctor
Favorite hobby (Possible answers may be limited and some may be common)
The system could have the user choose one to four of these questions and require one to four of them to be answered to reset a forgotton password. This would be determined by site security requirements.
Don't allow the user to choose custom questions and answers since they may not do a good job. If multiple choice answers are allowed, use them with other other user answers requiring text entry mixed in. Check user input to be sure it is not blank or single character when the user questions and answers are originally selected.