Password reset questions may seem like a necessary evil if you’re building any kind of system which requires users to log in. However, the process becomes utterly pointless if you make the questions so vague as to be too hard to remember.
Questions picture from Shutterstock
Gartner analyst Jack Santos make the point well in an analysis of the password reset questions which Apple uses on its site. Some questions (such as “What was your mother’s maiden name?”) are unambiguous but often easy for hackers with an individual target to research. Others (such as “What was the first album you purchased?”) can be difficult to remember, which obviates their usefulness. And some (“What was the name of the street where you grew up?”) may well have multiple answers.
There’s no sure-fire solution to this issue, but it pays to be aware. One other reminder: you can’t set an arbitrary minimum length for most of these answers. Some maiden names are short.
The Travesty of Security Questions [Gartner Blogs]