Educause Security Discussion mailing list archives
Re: Exposing security questions
From: Timothy Payne <tpayne1 () MACALESTER EDU>
Date: Wed, 20 Jan 2010 12:22:44 -0600
Definitely want to avoid any reference to or part of SSN. When you design your security questions, don't use obvious things (middle name, hometown, mother's maiden name, etc). Those are very easy to figure out now that our entire life history and genealogy are on the Internet. I like questions that are obscure to a stranger, but not impossible to remember, such as (first girlfriend/boyfriend, favorite pet's name, etc). Personally, I have a little matrix in my head that I use to answer the questions. For example, when I'm asked for 'favorite pet's name', I always enter something totally different, such as my favorite color. The answers don't have to be correct, you just need to remember WHAT you answered. But most people just diligently answer the questions truthfully, which is why using facts that aren't easily found on their Facebook page, or that their roommate knows, can lead to better security. Tim Payne, CISSP, CISM, CCNA Network Administrator Macalester College On Wed, Jan 20, 2010 at 12:11 PM, Scott O. Bradner <sob () harvard edu> wrote:
Any thoughts or suggestionsenter his/her SSN and ..fwiw - I think it is a bad idea getting people at ease with putting a SSN into a system (and one that might be able to be spoofed) in addition, it means that the backup system will be full of SSNs and thus a target Scott
Current thread:
- Exposing security questions Rob Tanner (Jan 20)
- <Possible follow-ups>
- Re: Exposing security questions Scott O. Bradner (Jan 20)
- Re: Exposing security questions Timothy Payne (Jan 20)
- Re: Exposing security questions Jonathan Byrne (Jan 20)
- Re: Exposing security questions Kevin Shalla (Jan 22)