Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Password hints
From: Darren Schell <darren.schell () ULETH CA>
Date: Mon, 15 Dec 2008 14:29:32 -0700

I ran across this site a few months back -- it describes an alternative approach that attempts to address the weaknesses of standard "secret questions" schemes. They've done some research on the problem and arrived at a scheme that involves collecting a list of things the user likes and dislikes:
http://www.ravenwhite.com/iforgotmypassword.html

You can try out the demo here:
http://blue-moon-authentication.com/

There's also a Google TechTalk on the subject:
http://www.youtube.com/watch?v=pypFzJmgPhg&feature=user

Darren Schell
Information Security Manager
Department of Information Technology
University of Lethbridge

On 12-Dec-08, at 2:26 PM, Stewart, Ian wrote:

Does anyone have advice for what sort of questions might be allowable or wise to use for password challenge-response in the event someone forgets their password? I think recent guidelines have ruled out using your mother’s maiden name and other old standards.
How have you handled this at your campus?

Thanks, Ian

Attachment: smime.p7s
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault