Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Password hints
From: "Jason C. Belford" <jason.belford () OIT GATECH EDU>
Date: Fri, 12 Dec 2008 16:35:30 -0500

Ian,

Does anyone have advice for what sort of questions might be allowable or wise to use for password challenge-response in the event someone forgets their password? I think recent guidelines have ruled out using your mother’s maiden name and other old standards.
How have you handled this at your campus?

Currently we have a list of 72 questions and pick 9 at random to display to the user (when setting up the challenge-response questions). A 10th option is where they can write their own question. We have seen some very impressive (and imaginative questions) being asked as well as those like "Mother's Maiden Name."

We are re-evaluating our hints, but we have learned a few lessons about user behavior in our attempts. Mostly importantly, stay away from questions, which will have ephemeral answers (i.e. what is your favorite....).

--Jason

--
Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]