Re: Exposing security questions

[Timothy Payne <tpayne1 () MACALESTER EDU>]

Definitely want to avoid any reference to or part of SSN.  When you
design your security questions, don't use obvious things (middle name,
hometown, mother's maiden name, etc).  Those are very easy to figure
out now that our entire life history and genealogy are on the
Internet.  I like questions that are obscure to a stranger, but not
impossible to remember, such as (first girlfriend/boyfriend, favorite
pet's name, etc).

Personally, I have a little matrix in my head that I use to answer the
questions.  For example, when I'm asked for 'favorite pet's name', I
always enter something totally different, such as my favorite color.
The answers don't have to be correct, you just need to remember WHAT
you answered.  But most people just diligently answer the questions
truthfully, which is why using facts that aren't easily found on their
Facebook page, or that their roommate knows, can lead to better
security.

Tim Payne, CISSP, CISM, CCNA
Network Administrator
Macalester College



On Wed, Jan 20, 2010 at 12:11 PM, Scott O. Bradner <sob () harvard edu> wrote:
> > Any thoughts or suggestions
>
> > enter his/her SSN and  ..
>
> fwiw - I think it is a bad idea getting people at ease with putting
> a SSN into a system (and one that might be able to be spoofed)
>
> in addition, it means that the backup system will be full of SSNs and
> thus a target
>
> Scott