Educause Security Discussion
mailing list archives
Re: Password hints
From: Brian Kaye <bdk () UNB CA>
Date: Sun, 14 Dec 2008 18:25:43 -0400
On Mon, 15 Dec 2008, Russell Fulton wrote:
Date: Mon, 15 Dec 2008 07:54:55 +1300
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password hints
On 13/12/2008, at 12:57 PM, Brian Kaye wrote:
Why not allow them to create their own challenge question with some
appropriate scan of the question and answer?
the later is the difficult bit. How do you stop people including the
password in the question?
A comparision of the text at the time the question is set would eliminate
the clear text answers. You might do any of a bunch of matches to
invalidate a question. Any answer that is encoded in the question by some
alorithm only the owner knows might suffice. Certainly better than the
maiden name/ fovorite colour questions.