Educause Security Discussion
mailing list archives
Re: Password hints
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 15 Dec 2008 11:34:53 -0500
Roger Safian wrote:
At 05:57 PM 12/12/2008, Brian Kaye put fingers to keyboard and wrote:
Why not allow them to create their own challenge question with some
appropriate scan of the question and answer?
FWIW, in our case, we wanted to create a system that the users
could use online. If you allow users to create their own questions,
and you want a self remediation online access, then they need to
answer their question exactly the same. It doesn't always work that
way, since people forget things like capitalization, etc.
We've been contemplating a system that converts everything to
lower case and strips whitespace.
As for user chosen questions and answers, they MUST be supplemented
with other information ( e.g. org chosen questions, org data, external
e-mail address account password ). Otherwise some percentage will:
1) Choose questions with a limited range of possible answers:
What color is my favorite sweater?
2) Choose questions whose answers are available on their
James Madison University
Description: S/MIME Cryptographic Signature