Mitigating the High Cost of Forgotten Passwords

August 6, 2014

Password resets comprise roughly 30% of all Help Desk calls and not only impact worker productivity, but also consume valuable IT resources from your support team. What if your associates could take charge of how they reset their passwords and eliminate unnecessary calls to the Help Desk? Password self-service based on security questions is the most common solution; the difficulty lies in creating good questions.

Most identity management solutions provide password self-service functionality and use Challenge-Response questions to validate the identity of the user before allowing them to reset their password. These questions are sometimes referred to as security questions, and are usually set by the end user the first time they log into their account. Some of the most common are "What is your mother's maiden name?" or "What is your favorite color?" The attractiveness of using personal questions is that they are easier to remember than a complex password that is not tied to their identity.

Social networking sites (Facebook, Twitter) work against security questions by exposing more and more of our personal information, making it easier for a hacker to learn the answers. In reality, there is no such thing as a perfect set of security questions; however, organizations should invest the time to define GOOD security questions to prevent unauthorized access. The following guidelines will help you ‘raise the bar’ and minimize risk of a compromised account.

As a general guideline, good security questions should have the following characteristics:

  1. They are not easily guessed or discovered
  2. They have clear-cut answers
  3. They do not change over time
  4. They are memorable

Here are a few examples of Good Challenge-Response Questions

  • What is the name of your favorite childhood friend?
  • What street did you live on in the sixth grade?
  • What was your childhood phone number including area code? (e.g., 000-000-0000)
  • What is your oldest cousin's first name?
  • In what city or town did your mother and father meet?
  • What was the last name of your favorite teacher?
  • What was the name of the first grammar school you attended?

In addition to defining good questions, most organizations require users to answer ten questions when they first register with the system. In the event of a forgotten password, the user is presented with three of the ten questions, which are chosen at random, to validate their identity. This approach provides better security than using only one question that can be easily discovered/ guessed.

Another possibility to enhance your security questions is to let users create their own. There are a couple of advantages to this approach: 1) they can word the question in such a way that only they know what it's asking but it isn't obvious to someone else, and 2) the range of questions will be much broader than adopting a standard list of ten questions for all users.

More News