Are Your Self-Service Password Reset Security Questions a Challenge?

Are Your Self-Service Password Reset Security Questions a Challenge?

Strengthen your security challenge.

Self-service password reset and password management software eliminates countless headaches within your organization while improving information security. Business users are empowered to manage their own accounts in real time, and your IT Help Desk avoids a steady stream of routine, unnecessary service calls costing about $13 per request according to industry experts. While the power of automation around password reset software significantly improves efficiency and data security, your networks are only as safe as the quality of the security questions asked and the responses created by business users.

Self-Service Password Reset Best Practices

What characteristics define highly effective self-service password reset security questions?


The efficacy of any self-service password reset security question is predicated on soliciting a response that can’t be easily guessed or researched by someone other than the business user. For example, “In what city were you born”? is easily researchable, as is “From what high school did you graduate”? Other questions like “What is your eye color”? or “What is your favorite sport?” are problematic in that the range of potential answers is so narrow that the responses are easily guessed.


Self-service password reset questions where the intuitive response may shift also present problems because users can’t keep track of what they were thinking when they initially supplied the answers. For instance, the top-of-mind responses to “What is your favorite color?” — or, “What is your favorite movie”‐ may change over time. Imagine being asked by a Help Desk assistant, “What is your favorite food?” You’d hardly be alone if you asked, “Can you give me a hint?” If your business user supplied this information years ago, these seemingly simple questions may leave them scratching their heads. Kettle Corn? Gazpacho? Pad Thai? Guacamole? Who knows what struck their fancy on the day in question?


A self-service password reset security question shouldn’t make you think too hard, so queries that require recollection of obscure or trivial information aren’t terribly effective. For instance, “What is the first name of your third grade teacher?” or “What make and color was your first bicycle?” require delving deep, and it’s highly likely that your business user won’t remember or will guess incorrectly.


In addition to being difficult to guess or research, intuitive over time and memorable, the best self-service password reset security questions require a simple, definitive one word answer. You could ask “In what city did your parents first meet?” or you could ask “What is your paternal grandmother’s maiden name?” These simple yet highly specific questions are good examples of solid security queries. And, if you don’t make responses case sensitive, you further simplify the process.


You can further fortify your security safeguards by requiring your business users answer a string of questions rather than a single query. When you design a series of questions — about 3 to 4 is ideal — that meet the parameters described above, you’ve fortified your password management system with queries that reduce enterprise information security risks by preventing easy access from hackers and unauthorized users.


The string of questions you ask should incorporate a multifactor approach. This essentially entails asking a series of questions that authenticates the user’s identity through three different considerations. The first authentication question format queries something that the user knows — an anniversary date or their high school mascot, for instance. The second question type focuses on something the user has — like a phone or license plate number. The third question structure focuses on a specific piece of information from the respondent’s past — the name of the school where they attended kindergarten or their maternal grandfather’s first name.

For maximum effectiveness, the user should be required to select from a question bank for each type. Ideally, they should be randomized and presented singly each time a user resets a password. Password management systems that display a series of questions at once are more vulnerable than systems presenting questions one at a time.

Self-Service Password Reset Summary

The key is balancing simplicity for your user with enough complexity for solid password management security. Self-service password reset and password management empowers business users and reduces help desk. When business users can’t successfully navigate their security question string, you can be sure that they’ll call the Help Desk. To avoid this hassle, construct your self-service password reset security questions to be highly personal, private, specific, memorable and multi-factorial. Everyone will thank you in the end, because your information security process will improve, cost less and provide a better user experience.

Watch the Password Management Product Introduction Video

Top 10 Password Management Best Practices -- The proven working guide for successful implementation.Get Your Free Top 10 Password Management Best Practices Guide

Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.

Request the Workbook

Written by Gary Thompson

Gary Thompson is a 35 year veteran of the PR industry. He was the president of Shandwick International, the world’s largest agency with 2000 people in 90 offices and 32 countries. A million mile flyer on both American and United, he got off the road at the “encouragement” of his wife. Four years ago, he founded his own firm, Clarity Communications, which counts Avatier as one its most successful clients.