1. Software Standards Specification
  2. Software Requirements Definition
  3. Software Best Practices
  4. Input Validation
  5. Output Validation
  6. Cookie Requirements
  7. Access Failure Error Checking
  8. Buffer Overflow
  9. Code Structure
  10. Software Functions
  11. Software Modules
  12. Requirements for Variables
  13. Software Code Comment Requirements
  14. Quality Code Requirements
  15. Software Code Review
  16. Software Code Testing Requirements
  17. Software Change Control

    Security Best Practices

  18. Secure Functional Requirements
  19. Account Creation
  20. Change Password
  21. Forgot Password
  22. Personal Question
  23. Contact Webmaster
  24. CAPTCHA Tests
  25. Answer Verification

Personal Secret Question recommendations

This page provides information for creating personal questions (aka secret questions) that are secure when creating a password reset process. Personal questions and their answers should always be stored and transmitted in encrypted form.

Weak Personal Questions

To determine strong personal questions, it is wise to consider some types of personal questions that are weak. Personal questions or secret questions that are weak will have one or more of the following characteristics:

  • They can be found by doing some reasearch about you. Consider whether the information could be obtained about celebrities including where they are born, their mother's maiden name, etc.
  • There are common responses that may fit the answer. Some of these type of questions include make of first car, favorite movie, etc.
  • There are not very many responses to the question. Some of these questions may include favorite color, shoe size, etc.

Examples of weak personal secret questions include:

  • Mother's Maiden Name - Can be researched on celebrities and too common.
  • Father's middle name - Can be researched on celebrities.
  • High school - Can be researched on celebrities.
  • Your anniversary date - Can be researched on celebrities.
  • Name of your first pet - Can be researched on celebrities and many pet names are common.
  • Your primary area of expertise - Can be researched on celebrities and may be common knowledge.
  • City of your birth - can be researched on celebrities and many large city names may get a hit for many people.
  • Favorite movie answers are too common.
  • Street names are too common.
  • Car makes are too common as are most models.
  • There are not enough common colors to get a large range of answers with colors.
  • Side of your bedroom that your clothes closet is on - not enough possibilities.

Stronger Personal Questions

These questions are stronger but their strength will still vary from person to person. Questions that should be used will vary from site to site depending on the nature of the site and the security needs.

  • First and last name of your first boyfriend or girlfriend
  • First and last Name of a school friend.
  • First and last Name of a current friend.
  • First and last name of your hairdresser or barber.
  • First and last name of your supervisor (unless it is common knowledge by anyone who would break into the account).
  • Your supervisor's phone number.
  • First and last name of your favorite co-worker or current classmate.
  • Name of your first grade teacher (or any other grade).
  • Phone number you remember most from your childhood.
  • Favorite place to visit as a child.
  • Name of favorite park you like to visit and nearest city.
  • Name of your favorite actor, musician, or artist.
  • Name of your most annoying actor, musician, or artist.
  • Name of your favorite song.
  • Name of your dentist
  • Name of your doctor
  • Favorite hobby (Possible answers may be limited and some may be common)

The system could have the user choose one to four of these questions and require one to four of them to be answered to reset a forgotton password. This would be determined by site security requirements.

Don't allow the user to choose custom questions and answers since they may not do a good job. If multiple choice answers are allowed, use them with other other user answers requiring text entry mixed in. Check user input to be sure it is not blank or single character when the user questions and answers are originally selected.