Educause Security Discussion
mailing list archives
Re: Password hints
From: Adam Schumacher <adamschumacher () CREIGHTON EDU>
Date: Mon, 15 Dec 2008 13:24:43 -0600
We require the user to pick a question from dropdowns. I've used sites like
the aforementioned goodsecurityquestions.com to develop the questions which
attempt to ask for specific, unchanging, and yet generally private
information. Of course, since I don't trust that process alone, a user also
has to set up an alternate email or cellphone number that a OTP gets sent to
before they can reset their password. Yay for 2 factor!
On 12/12/08 3:26 PM, "Stewart, Ian" <istewart () UMASSP EDU> wrote:
Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.
How have you handled this at your campus?
Information Security Engineer
Don't share your password with ANYONE, EVER. This means YOU!
- Re: Password hints, (continued)