Educause Security Discussion mailing list archives

Re: Password hints

From: "Jason C. Belford" <jason.belford () OIT GATECH EDU>
Date: Fri, 12 Dec 2008 16:35:30 -0500

Ian,

Does anyone have advice for what sort of questions might beallowable or wise to use for password challenge-response in theevent someone forgets their password? I think recent guidelines haveruled out using your mother’s maiden name and other old standards.
How have you handled this at your campus?

Currently we have a list of 72 questions and pick 9 at random todisplay to the user (when setting up the challenge-responsequestions). A 10th option is where they can write their ownquestion. We have seen some very impressive (and imaginativequestions) being asked as well as those like "Mother's Maiden Name."

We are re-evaluating our hints, but we have learned a few lessonsabout user behavior in our attempts. Mostly importantly, stay awayfrom questions, which will have ephemeral answers (i.e. what is yourfavorite....).


--Jason

--
Jason C. Belford
Information Security Manager
Office of Information Technology
Georgia Institute of Technology
Phone: (404) 894 - 6159

Current thread:

Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)

(Thread continues...)