Educause Security Discussion
mailing list archives
Re: Password hints
From: "Strzelec, Wally" <wally () TAMU EDU>
Date: Fri, 12 Dec 2008 17:43:31 -0600
I ran across this a while back, perhaps it will help.
Wally Strzelec, GCFA, GCWN
Sr. IT Manager
Computing & Information Services
Texas A&M University
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason C. Belford
Sent: Friday, December 12, 2008 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password hints
Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.
How have you handled this at your campus?
Currently we have a list of 72 questions and pick 9 at random to display
to the user (when setting up the challenge-response questions). A 10th
option is where they can write their own question. We have seen some
very impressive (and imaginative questions) being asked as well as those
like "Mother's Maiden Name."
We are re-evaluating our hints, but we have learned a few lessons about
user behavior in our attempts. Mostly importantly, stay away from
questions, which will have ephemeral answers (i.e. what is your
Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159