Educause Security Discussion mailing list archives
Re: Password hints
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Fri, 12 Dec 2008 22:12:17 -0500
This site does a good job analyzing various security questions and what makes them good or not. http://goodsecurityquestions.com/ I think OWASP has some recommendations on this as well. It's hard to come up with good questions because you need info that's easy to remember but not easy to find. Good questions need to have a large number of answers. It maybe true that you favorite color is not listed on the internet, but it's probably one of the 8 colors in a basic crayola crayon box. Good questions shouldn't change over time. Last year my favorite movie was Batman Begins, but now I prefer the dark knight. etc. I'm not a fan of user selected questions as it reduces account security to something like "What's my name" in some cases. I don't want to manually review them either. It's very likely to be entertaining, but I'm pretty sure there are more valuable uses of staff time. One thing to consider, if you have to do a large scale password reset (like you lost a password file), how many people will remember their security question from X number of years ago. It's probably a good idea to have them review it periodically to make sure they remember the answer to their secret question. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 12/12/2008 at 4:26 PM, in message
<ECB7018303A0474781B2F617FF8CAAFC020D4DBD () EXCHANGECL1 ad umassp edu>, "Stewart, Ian" <istewart () UMASSP EDU> wrote:
Does anyone have advice for what sort of questions might be allowable or wise to use for password challenge-response in the event someone forgets their password? I think recent guidelines have ruled out using your mother's maiden name and other old standards. How have you handled this at your campus? Thanks, Ian
Current thread:
- Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)