Thursday, September 8, 2011

Working vocabulary (What makes a good security question, redux)

Helpful reader Rick Auricchio has informed me that the numbering I was using in previous posts was rather opaque, especially since the list it drew from wasn't actually numbered, and suggested instead using more descriptive adjectives. He had a good list of adjectives to match the numbers, and I made just a few changes. The list is as follows:

Applicable: It actually applies to you and has an answer. Sites should either provide security questions that apply to a large portion of their user base or have many questions to choose from. Where you met your spouse is probably not a great question for a singles dating site.
Private: It's something that few other people know, that's not in public records or all over your blog or resume. First grade teacher is a good question for a site with an adult user base, but not great for one that caters to high-schoolers who probably all have the same answer.
Unpredictable: The answer is hard to guess. 'Favorite Color' fails this hard: one third of people have Blue as their favorite color. If you're a bank with one branch in one city then birthplace is also not ideal.
Unforgettable: You will definitely know/remember the answer. Otherwise you've defeated the purpose.
Invariant: The answer won't change even if your home, job, tastes, or even spouse changes. It happens more often than you'd think.
Unambiguous: There's only one good answer AND that answer is only typed/phrased in one way. God help you if it's case sensitive.
Allowable: The users answer is not blocked due to technical limitations (e.g. length, special characters). What state were you born in doesn't work if you have a 6 character minimum (poor buckeyes!).

It's not perfect. For example, some of the adjectives describe the questions whereas other describe ideal answers. But I think it's important to try and develop a vocabulary for talking about security questions. (which I hadn't come across when I first made this blog) has done something similar, and has some great tips, but I'd like to go into a bit more detail to figure out problems with security questions.

I'm going to go back a bit and clarify some of the older posts as necessary so they have more than just numbers in the discussions.

No comments:

Post a Comment