Educause Security Discussion
mailing list archives
Re: Password hints
From: "Jason C. Belford" <jason.belford () OIT GATECH EDU>
Date: Fri, 12 Dec 2008 16:35:30 -0500
Does anyone have advice for what sort of questions might be
allowable or wise to use for password challenge-response in the
event someone forgets their password? I think recent guidelines have
ruled out using your mother’s maiden name and other old standards.
How have you handled this at your campus?
Currently we have a list of 72 questions and pick 9 at random to
display to the user (when setting up the challenge-response
questions). A 10th option is where they can write their own
question. We have seen some very impressive (and imaginative
questions) being asked as well as those like "Mother's Maiden Name."
We are re-evaluating our hints, but we have learned a few lessons
about user behavior in our attempts. Mostly importantly, stay away
from questions, which will have ephemeral answers (i.e. what is your
Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159