A domain has been registered called goodsecurityquestion.com. It’s hard to believe it isn’t a phishing site but it seems legit, albeit a bit sarcastic. It warns emphatically, for example, “there really are NO GOOD security questions” while at the same time it provides a list called “Good Security Questions”.

Maybe they should have said there is NO goodsecurityquestion.com.

My real issue with the site is that it does not explain in much detail why a good question differs from a fair question. Answering with a city in the good list does not seem any better than answering with a city in the fair list. In other words, the start of the question in the good list is “In what city…” and the start of the question in the fair list is “In what city…”, which seems to violate their own rules.

Perhaps an argument could be made for types of city questions. Threats will use brute force or research to guess the answers. So a question that asks for a honeymoon city might be easier to guess (shorter list) than a question that asks about a birth city. But that seems unlikely. Counter arguments are easy to make (e.g. if you ask for a city the rest of the question is ignored).

We used to spend long days and nights at Yahoo! trying to craft tough questions. A lot of research has been done since then but what I haven’t seen yet is a compound question system. It would be nice if the user could select from two parts (e.g. favorite sports team and then color, or favorite sports team and MVP). When answering they only get the first half of the question. The second part would be hidden from the attacker and therefore brute force and research would both be seriously disadvantaged.