Re: Password hints

["Strzelec, Wally" <wally () TAMU EDU>]

I ran across this a while back, perhaps it will help.

 

www.securityps.com/resources/pdf/TipsforAvoidingBadQuestions.pdf
<http://www.securityps.com/resources/pdf/TipsforAvoidingBadQuestions.pdf
>

 

---

Wally Strzelec, GCFA, GCWN

Sr. IT Manager

Computing & Information Services

Texas A&M University

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason C. Belford
Sent: Friday, December 12, 2008 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password hints

 

Ian,





Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.

How have you handled this at your campus?

 

Currently we have a list of 72 questions and pick 9 at random to display
to the user (when setting up the challenge-response questions).  A 10th
option is where they can write their own question.  We have seen some
very impressive (and imaginative questions) being asked as well as those
like "Mother's Maiden Name."

 

We are re-evaluating our hints, but we have learned a few lessons about
user behavior in our attempts.  Mostly importantly, stay away from
questions, which will have ephemeral answers (i.e. what is your
favorite....).  

 

--Jason





--

Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159