Yesterday I delivered my presentation titled A Review of Real World Security Questions and Answers at PasswordsCon 13. I have written about security questions (AKA challenge questions) before, but this presentation is based on my analysis of thousands of actual user choices that were included in hacker database dumps from three different organizations this past year.
We don't often have an opportunity to see how people are actually using security questions outside of controlled surveys, so I was thrilled to dig into the data to see what additional insights it offered about their strengths and weaknesses. Hopefully you will find it to be a useful resource when making decisions about the use of security questions in your own organization.
You can find a copy of my presentation slides with my analysis at www.passwordresearch.com/securityqs.html. If you would like to talk about these findings you are welcome to contact me through email or on Twitter @PwdRsch. You can also post your comments or questions on this blog entry.