Educause Security Discussion mailing list archives
Re: Password hints
From: "Strzelec, Wally" <wally () TAMU EDU>
Date: Fri, 12 Dec 2008 17:43:31 -0600
I ran across this a while back, perhaps it will help. www.securityps.com/resources/pdf/TipsforAvoidingBadQuestions.pdf <http://www.securityps.com/resources/pdf/TipsforAvoidingBadQuestions.pdf
--- Wally Strzelec, GCFA, GCWN Sr. IT Manager Computing & Information Services Texas A&M University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason C. Belford Sent: Friday, December 12, 2008 3:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password hints Ian, Does anyone have advice for what sort of questions might be allowable or wise to use for password challenge-response in the event someone forgets their password? I think recent guidelines have ruled out using your mother's maiden name and other old standards. How have you handled this at your campus? Currently we have a list of 72 questions and pick 9 at random to display to the user (when setting up the challenge-response questions). A 10th option is where they can write their own question. We have seen some very impressive (and imaginative questions) being asked as well as those like "Mother's Maiden Name." We are re-evaluating our hints, but we have learned a few lessons about user behavior in our attempts. Mostly importantly, stay away from questions, which will have ephemeral answers (i.e. what is your favorite....). --Jason -- Jason C. Belford Information Security Manager Office of Information Technology Georgia Institute of Technology Phone: (404) 894 - 6159
Current thread:
- Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)