An internet security question is a backup measure used to authenticate the user of a website or an application in the event that they have forgotten their user name and/or password. Theoretically, a security question is a shared secret between the user and the website.
Because many security questions have answers that can easily be found online with just a little research, they are often criticized for making user accounts vulnerable to attack. Security expert Bruce Schneier referred to website security questions as an “easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password.”
A security question should have the following characteristics:
- The answer should not be available online.
- The question and answer should be simple.
- They should be about something memorable to the user.
- The answer shouldn’t be anything that might change over time.
- There should be many possible answers to the question.
Alternatives to website security questions include two-factor authentication.