Security questions: helpful self-service feature, confusion, or security risk?

Question: What was your favorite teacher’s youngest child’s first pet’s name?
Answer 1: StupidQuestion TeacherPet Booyah
Answer 2: Green polka dots
See why, below

As part of account creation, many sites require you to answer secret questions. This isn’t only for security. It provides a self-service way for you to reset your password, which is easier for the company, and maybe for you, too. (Remember when you used to call customer care for things like this?) But security questions can be hard to design and use.

Problems with security questions

A system must present users with enough questions so they can pick a couple to answer and remember. Here are some questions and categories that can cause problems:

  • “Where was your first kiss?”  I’ve seen this make some people laugh, but embarrass others.
  • “What’s your favorite …?” Preferences change often, so answers are hard to remember.
  • “What was your phone number growing up?  Let users know if hyphens, parentheses and spaces count.
  • “What’s your youngest child’s first name?”  If you have another child later (or have none), this won’t work.
  • Marriage dates, location or attendants.  Not everyone is married.
  • Pet names or types.  Some people don’t have pets.

Here are some real examples from 2012, when I wrote this post: the first is from, the second from How many questions could you answer now and remember later? How many just leave you scratching your head?

Some of the secret questions at

Secret questions at


Secret questions from

Secret questions from


And there’s the question of whether security questions are useful at all. points out that

The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.

People who know you may know enough to answer your questions; people who don’t know you may be able to find out the answers (how many people on Facebook and LinkedIn know what schools you went to?).

I just came across an interesting example at the Minor League Baseball sites. When I indicated that I’d forgotten my password, I got this screen. Oddly, I had to remember which security question I’d answered before I could answer it.  [Added 25 Sep 2012]

At the Minor League Baseball site, first you have to remember which question you answered and then answer it

At Minor League Baseball sites, first you have to remember which one question you originally  answered and then answer it

Solutions for users answering questions

One of the most interesting ideas I came across is to answer a completely different question. You might use “green polka dots” when the question is “What street did you grow up on?” That’s harder for someone to guess, but harder for you to remember unless you use it everywhere (which isn’t secure).

Danah Boyd, writing on Apophenia, suggests combining a “snarky bad attitude phrase” with a clue from the actual question, plus a unique word. For example, she writes “when I’m asked the following question: What is your favorite sports team? My answer would be: StupidQuestion SportsTeam Booyah“.

Solutions for designers picking questions to include

Here are some tips for selecting questions for your application:

  1. It’s OK to have some questions that don’t apply to everyone, but have enough choices so everyone can comfortably use a few.
  2. Questions shouldn’t be so obscure that people have to write their answers down.
  3. Answers shouldn’t be too easy for someone to figure out.
  4. Answers should be unique — there should be just one.
  5. Answers should be stable over time, unlike favorite things.
  6. Have reminders about punctuation and case, both for initial and subsequent entries.
  7. Consider allowing people to specify their own questions in case none of the provided ones work.

Usability testing helps

It may seem trivial to test security questions, but it does help. We got some good feedback in a recent project and changed the questions in our list. There’s nothing like showing your work to real users.


6 Responses to Security questions: helpful self-service feature, confusion, or security risk?

  1. Ron Perkins says:

    Interesting, I’ve always wondered what to do about those questions!

  2. Ward says:

    Real-world question from a forgotten site: “What was your least favorite childhood nickname?”

    Dredging up painful memories, whether or not one answers the question, seems like a poor idea.

    • Paul says:

      Most security questions are a security risk more severe than weak passwords. In many cases, the answers are easily enumerable (e.g. the make of you first car). The best design would allow the user to decline use of security questions.

  3. Tim says:

    Forget things people who know you could sneer or find out. I’m always surprised at how many sites ask things which are a matter of public record, like mother’s maiden name or place of birth.

    • Hal Shubin says:

      Good point. Could it be that they don’t take it seriously? But large companies must have security officers these days.

      I didn’t look into how long ago secret questions started, and whether it goes back to a time when personal information wasn’t so readily available. That would be good to look into.

Leave a reply. We'd love to hear from you.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s