The plan for conducting simple usability/security testing for self-service password resets consists of designing three types of questions:

1. Banner-derived questions we already know the answers to;
2. canned questions from other password reset sites; and
3. user-created question/answer pairs.

These question sets can be mocked up with a tool like Balsamiq, or even more easily using survey.vt.edu.

We would ask participants to work in two sessions: the first to choose security questions, and the second to attempt to remember the answers they chose in the first session. We could probably recruit enough volunteers from AISB and RB 14 if supervisors allowed employees to participate, if our hours were flexible, and if we provide some small incentive like candy. Once we have gathered questions and answers, we can turn them over to the Security Office for their assessment. For example, is one type of question/answer pair more easily guessable than another?

See Ideas for password reset questions for more details.