Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Password hints
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 15 Dec 2008 11:34:53 -0500

Roger Safian wrote:
At 05:57 PM 12/12/2008, Brian Kaye put fingers to keyboard and wrote:
Why not allow them to create their own challenge question with some
appropriate scan of the question and answer?

FWIW, in our case, we wanted to create a system that the users
could use online.  If you allow users to create their own questions,
and you want a self remediation online access, then they need to
answer their question exactly the same.  It doesn't always work that
way, since people forget things like capitalization, etc.

We've been contemplating a system that converts everything to
lower case and strips whitespace.

As for user chosen questions and answers, they MUST be supplemented
with other information ( e.g. org chosen questions, org data, external
e-mail address account password ). Otherwise some percentage will:

1) Choose questions with a limited range of possible answers:
   What color is my favorite sweater?

2) Choose questions whose answers are available on their
   MySpace/Facebook page.

Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]