Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Password hints
From: Adam Schumacher <adamschumacher () CREIGHTON EDU>
Date: Mon, 15 Dec 2008 13:24:43 -0600

We require the user to pick a question from dropdowns.  I've used sites like
the aforementioned goodsecurityquestions.com to develop the questions which
attempt to ask for specific, unchanging, and yet generally private
information.  Of course, since I don't trust that process alone, a user also
has to set up an alternate email or cellphone number that a OTP gets sent to
before they can reset their password.  Yay for 2 factor!

On 12/12/08 3:26 PM, "Stewart, Ian" <istewart () UMASSP EDU> wrote:

Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.

How have you handled this at your campus?

Thanks, Ian


Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!



= 1a72637cf94189654ab1a827520a5e41738f41b0

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]