Educause Security Discussion
mailing list archives
Re: Password hints
From: Neil Matatall <neil.m () UCI EDU>
Date: Fri, 12 Dec 2008 13:58:44 -0800
I like websites that let you create your own question(s). I can make up
something as specific as "what CD were you listening to on flight x".
Of course, this allows people to enter a mother's maiden name type
question so a combination of the free-form pre-populated questions is
what I think works best.
Jason C. Belford wrote:
Does anyone have advice for what sort of questions might be allowable
or wise to use for password challenge-response in the event someone
forgets their password? I think recent guidelines have ruled out using
your mother’s maiden name and other old standards.
How have you handled this at your campus?
Currently we have a list of 72 questions and pick 9 at random to display
to the user (when setting up the challenge-response questions). A 10th
option is where they can write their own question. We have seen some
very impressive (and imaginative questions) being asked as well as those
like "Mother's Maiden Name."
We are re-evaluating our hints, but we have learned a few lessons about
user behavior in our attempts. Mostly importantly, stay away from
questions, which will have ephemeral answers (i.e. what is your
Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159