SlideShare a Scribd company logo

Security Questions Considered Harmful

Jim Fenton
Jim Fenton

Presentation at Passwords '15 Las Vegas (part of BSides Las Vegas) on the problems with using security questions for account recovery.

Technology
1 of 15
Download to read offline
“Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
Everyone has seen this
Why do they do this? It’s a cheaper way to do account recovery
Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
But, to be fair… —OWASP
Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
} } } 8 Context is important Must be truthful Must be truthful Make something up
Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com
Thank you! (No, it’s not)

Recommended

Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
Jim Fenton
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
iBeacon security overview
iBeacon security overviewiBeacon security overview
iBeacon security overview
Localz
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Security
kontakt.io
 
Empowerment 4
Empowerment 4Empowerment 4
Empowerment 4
Sam Hager
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 

Recommended

Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
Jim Fenton
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
iBeacon security overview
iBeacon security overviewiBeacon security overview
iBeacon security overview
Localz
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Security
kontakt.io
 
Empowerment 4
Empowerment 4Empowerment 4
Empowerment 4
Sam Hager
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Survey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy ResearchersSurvey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy Researchers
Elissa Redmiles
 
Typology of questions
Typology of questionsTypology of questions
Typology of questions
shaziazamir1
 
Research Writing Survey
Research Writing SurveyResearch Writing Survey
Research Writing Survey
Aiden Yeh
 
IAM Challenge Questions
IAM Challenge QuestionsIAM Challenge Questions
IAM Challenge Questions
Aidy Tificate
 
Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
habibpak
 
Secrets, Lies, and Account Recovery
Secrets, Lies, and Account RecoverySecrets, Lies, and Account Recovery
Secrets, Lies, and Account Recovery
Sergey Ulankin
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
lvmiller
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
TechWell
 
Simple Guide About Survey
Simple Guide About SurveySimple Guide About Survey
Simple Guide About Survey
Ade Majid
 
Chapter20
Chapter20Chapter20
Chapter20
Ying Liu
 
Questionnaire development
Questionnaire developmentQuestionnaire development
Questionnaire development
Dr. Anugamini Priya
 
Multiple choice-questions
Multiple choice-questionsMultiple choice-questions
Multiple choice-questions
Pitcha Charoenmitmongkol
 
Survey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part ISurvey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part I
Qualtrics
 
Effective Surveys
Effective SurveysEffective Surveys
Effective Surveys
ltownson
 
Data Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurveyData Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurvey
Sogolytics
 
Questionnaire design spring2004
Questionnaire design spring2004Questionnaire design spring2004
Questionnaire design spring2004
Jaseme_Otoyo
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Questionnaire - Research Method
Questionnaire - Research MethodQuestionnaire - Research Method
Questionnaire - Research Method
Psychology Pedia
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
brannow
 
Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
Jim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
Jim Fenton
 

More Related Content

Similar to Security Questions Considered Harmful

Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
habibpak
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
lvmiller
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
TechWell
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
brannow
 

Similar to Security Questions Considered Harmful (20)

Survey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy ResearchersSurvey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy Researchers
 
Typology of questions
Typology of questionsTypology of questions
Typology of questions
 
Research Writing Survey
Research Writing SurveyResearch Writing Survey
Research Writing Survey
 
IAM Challenge Questions
IAM Challenge QuestionsIAM Challenge Questions
IAM Challenge Questions
 
Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
 
Secrets, Lies, and Account Recovery
Secrets, Lies, and Account RecoverySecrets, Lies, and Account Recovery
Secrets, Lies, and Account Recovery
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
 
Simple Guide About Survey
Simple Guide About SurveySimple Guide About Survey
Simple Guide About Survey
 
Chapter20
Chapter20Chapter20
Chapter20
 
Questionnaire development
Questionnaire developmentQuestionnaire development
Questionnaire development
 
Multiple choice-questions
Multiple choice-questionsMultiple choice-questions
Multiple choice-questions
 
Survey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part ISurvey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part I
 
Effective Surveys
Effective SurveysEffective Surveys
Effective Surveys
 
Data Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurveyData Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurvey
 
Questionnaire design spring2004
Questionnaire design spring2004Questionnaire design spring2004
Questionnaire design spring2004
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
 
Questionnaire - Research Method
Questionnaire - Research MethodQuestionnaire - Research Method
Questionnaire - Research Method
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
 

More from Jim Fenton

Identity systems
Identity systemsIdentity systems
Identity systems
Jim Fenton
 

More from Jim Fenton (10)

Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication Overview
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
 
Notifs update
Notifs updateNotifs update
Notifs update
 
IgnitePII2014 Nōtifs
IgnitePII2014 NōtifsIgnitePII2014 Nōtifs
IgnitePII2014 Nōtifs
 
OneID Garage Door
OneID Garage DoorOneID Garage Door
OneID Garage Door
 
Identity systems
Identity systemsIdentity systems
Identity systems
 
Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTIC
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Security Questions Considered Harmful

  • 1. “Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
  • 3. Why do they do this? It’s a cheaper way to do account recovery
  • 4. Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
  • 5. Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
  • 6. But, to be fair… —OWASP
  • 7. Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
  • 8. } } } 8 Context is important Must be truthful Must be truthful Make something up
  • 9. Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
  • 10. But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
  • 11. Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
  • 12. False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
  • 13. What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
  • 14. References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com