Okta
okta.com › blog › identity security
Security Questions: Best Practices, Examples, and Ideas | Okta
Typically, these security questions and answers are used for self-service password recovery—inputting the correct answer verifies the user and allows them to reset their password—though you can also implement security questions as an additional authentication factor for logins.
Journal of Accountancy
journalofaccountancy.com › home › magazines › online security: the password-recovery questions you should be answering
Online security: The password-recovery questions you should be answering
March 1, 2018 - To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that cannot be researched or guessed. In effect, I am suggesting that your answers be more random so they act more like a password. For example, instead of providing your mother’s actual maiden name, you might provide the made-up name Aphrodite1234!, which resembles a password more so than a name.
Videos
01:22
Microsoft Azure - Configure security questions for self service ...
01:43
How To Update Your Security Questions & Answers For Windows 10 ...
03:42
How to Update Security Questions & Answers in Windows 11 for Use ...
04:59
Update Security Questions on Local Account | Windows 11 Step-by-Step ...
Forgot Apple ID Security Questions? Reset Them FAST! - YouTube
02:12
How To Reset Security Question In iCloud Tutorial - YouTube
Microsoft Support
support.microsoft.com › en-us › account-billing › set-up-security-questions-as-your-verification-method-3d74aedd-88a5-4932-a211-9f0bfbab5de8
Set up security questions as your verification method - Microsoft Support
If you don't see the security questions ... to choose another method or contact your administrator for more help. Administrator accounts are not allowed to use security questions as a password reset method....
OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › Choosing_and_Using_Security_Questions_Cheat_Sheet.html
Choosing and Using Security Questions - OWASP Cheat Sheet Series
The combination of a password and security questions does not constitute MFA, as both factors as the same (i.e. something you know).. Security questions should never be relied upon as the sole mechanism to authenticate a user. However, they can provide a useful additional layer of security when other stronger factors are not available. Common cases where they would be used include: Logging in. Resetting a forgotten ...
Avatier
avatier.com › home › blog › 7 best practices for password reset questions
7 Best Practices for Password Reset Questions
April 9, 2020 - Users who enter the answers to security questions twice are more likely to remember them. 6) Expire Password Reset Questions For High-Risk Access
NordVPN
nordvpn.com › blog › security-questions
How to choose the best security questions | NordVPN
May 7, 2025 - It’s one of the online authentication methods for account recovery and an extra layer hackers need to break to get in. But don’t rush it, because not all questions can guarantee security. Read on to learn about the most common security questions and how to choose a good one. ... Many platforms ask you to choose a security question, which you will need to answer when logging in or resetting your password...
Full Scale
fullscale.io › blog › best-security-questions
Best Security Questions for Robust Protection (Examples)
Discover all the latest in technology, trends, innovation, IT news, hot skills, and culture from Full Scale's official blog.
VeePN
veepn.com › home › best security questions: selection criteria and examples
Best Security Questions: Selection Criteria and Examples | VeePN Blog
May 21, 2025 - 1.Criteria for choosing good security questions 2.Basic types of secure questions 3.Recommendations for choosing the best security questions 4.Examples of efficient and inefficient security questions 5.What is the reason for the need to use a VPN? Entering correct security answers to your question helps protect your website from critical changes. Even if attackers have taken possession of the password from the control panel, they will not be able to remove the module, change the password or security settings without knowing the correct answer to the security question.
Top answer 1 of 3
2
I agree with your security team. The "security question" is not secure on its own: cities can be found over ip, names can be googled and nicknames of pets can be guessed.
However, you could combine both methods: first send the mail, and when the user clicks the link, ask the question. This way you would add at least a bit more security to the procedere. Also think about a lock (e.g. 12 hours) after three bad attempts to ensure bruteforcing isn't possible.
2 of 3
1
I agree with your security team, these kind of questions are too easy to lift from social media, online research or just guesswork. It can be made a lot better then 'what is your dogs name', but its still antiquated.
Depending on your needs, in most situations I recommend an third choice. Required mobile phone number registration and SMS to the mobile phone with a verification code on password change.
Sadly, some users have the same/similar password everywhere. And what if this customer of yours have had an attacker start with taking his email account? Then finding he have an account on your product from reading his emails. Then taking over his account with your company, then .. changing the password since you email the password changing link to him/her ..
Google Support
support.google.com › accounts › thread › 150665812 › i-forget-password-and-security-question-s-answer
i forget password and security question's answer - Google Account Community
Skip to main content · Google Account Help · Sign in · Google Help · Help Center · Community · Google Account · Terms of Service · Submit feedback · Send feedback on
Reddit
reddit.com › r/lastpass › sites that allow security question password resets
r/Lastpass on Reddit: Sites that allow security question password resets
January 8, 2022 -
Can anyone direct me to a list of sites that allow password resets through security questions only? I would like to check my sites against those and put in unique responses for any sites I care about, as I assume (100%) that my true security question answers are available for any moderate hacker or even just an averagely persistent person.
Quora
quora.com › What-are-the-most-common-security-questions-to-retrieve-a-users-password
What are the most common security questions to retrieve a user's password? - Quora
Answer (1 of 14): Security question are gradually going away as new and better authentication systems come into play. Meanwhile, many online tools are still using security questions to retrieve credentials or verify identity. There are a lot of security questions, most are bad and shouldn’t be u...
Designingsecuresoftware
designingsecuresoftware.com › home › secret questions for password reset
Secret Questions for password reset - Designing Secure Software
July 11, 2024 - Questions should be designed to have answers unique to the user they won't forget, not known to attackers. Password reset requires answering the questions with the same answers in order to regain access.
SAP
userapps.support.sap.com › sap › support › knowledge › en › 2598816
2598816 - How to setup security question and answer for reset password - SuccessFactors Platform | SAP Knowledge Base Article
Users are asking how and where to setup the security questions and answers combination for password reset system verification. Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
myhrtoolkit
myhrtoolkit.com › support › how-to-guides › using-enhanced-security
Using security questions for password recovery | myhrtoolkit HR online
The option to reset security questions is available only if security questions are enabled in your organisation. Click on the Actions button against the user’s name and reset their questions.
Case Western Reserve University
case.edu › utech › help › knowledge-base › passwords › password-reset-questions-kba-100103
Password Reset Questions - KBA 100103 | University Technology, [U]Tech | Case Western Reserve University
April 19, 2018 - Select a security question from the Question dropdown box and enter the answer into the Answer and Re-Type Answer fields. Finally, click on the Submit button. If you find you can neither log in with your password nor change your password using the UTech Password Change page, someone may have guessed and reset your password in order to gain access to your CWRU Network account.
Stumble Forward
stumbleforward.com › home › scams & identity theft › the 10 most common password security questions
The 10 Most Common Password Security Questions
February 7, 2024 - The integrity of these website security questions is also damaged because many people view them as more of a nuisance than an effective security measure. According to Gartner Research, so-called self-service challenge questions can save companies between $51 and $147 for each password reset ...
Optimal IdM
optimalidm.com › home › news › security question best practices
Protecting Your Data: Best Practices for Security Questions
May 21, 2024 - Security questions offer secure solutions for retrieving and resetting passwords.
Quickbase Help
helpv2.quickbase.com › hc › en-us › articles › 4570395283348-Reset-security-question
Reset security question – Quickbase Help
Click the Reset security question button in the user details. (Note:This control will not appear if users are not required to answer their security question during password reset.)
Proton
proton.me › blog › security-questions-flaws-solutions
Are security questions terrible for account security? | Proton
February 27, 2025 - Security questions are meant to help reset passwords, reopen locked accounts, and ultimately protect your digital spaces from attacks or breaches, but such safeguarding is widely considered flawed and unreliable(new window).