Educause Security Discussion
mailing list archives
Re: Password hints
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Fri, 12 Dec 2008 22:12:17 -0500
This site does a good job analyzing various security questions and what makes them good or not.
http://goodsecurityquestions.com/ I think OWASP has some recommendations on this as well.
It's hard to come up with good questions because you need info that's easy to remember but not easy to find. Good
questions need to have a large number of answers. It maybe true that you favorite color is not listed on the internet,
but it's probably one of the 8 colors in a basic crayola crayon box. Good questions shouldn't change over time. Last
year my favorite movie was Batman Begins, but now I prefer the dark knight. etc.
I'm not a fan of user selected questions as it reduces account security to something like "What's my name" in some
cases. I don't want to manually review them either. It's very likely to be entertaining, but I'm pretty sure there are
more valuable uses of staff time.
One thing to consider, if you have to do a large scale password reset (like you lost a password file), how many people
will remember their security question from X number of years ago. It's probably a good idea to have them review it
periodically to make sure they remember the answer to their secret question.
Information Security Officer
On 12/12/2008 at 4:26 PM, in message
<ECB7018303A0474781B2F617FF8CAAFC020D4DBD () EXCHANGECL1 ad umassp edu>, "Stewart,
Ian" <istewart () UMASSP EDU> wrote:
Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.
How have you handled this at your campus?