Re: Password hints

[Zach Jansen <zjanse20 () CALVIN EDU>]

This site does a good job analyzing various security questions and what makes them good or not. 
http://goodsecurityquestions.com/ I think OWASP has some recommendations on this as well. 

It's hard to come up with good questions because you need info that's easy to remember but not easy to find. Good 
questions need to have a large number of answers. It maybe true that you favorite color is not listed on the internet, 
but it's probably one of the 8 colors in a basic crayola crayon box. Good questions shouldn't change over time. Last 
year my favorite movie was Batman Begins, but now I prefer the dark knight. etc. 

I'm not a fan of user selected questions as it reduces account security to something like "What's my name" in some 
cases. I don't want to manually review them either. It's very likely to be entertaining, but I'm pretty sure there are 
more valuable uses of staff time. 

One thing to consider, if you have to do a large scale password reset (like you lost a password file), how many people 
will remember their security question from X number of years ago. It's probably a good idea to have them review it 
periodically to make sure they remember the answer to their secret question. 


Zach





-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 12/12/2008 at 4:26 PM, in message
<ECB7018303A0474781B2F617FF8CAAFC020D4DBD () EXCHANGECL1 ad umassp edu>, "Stewart,
Ian" <istewart () UMASSP EDU> wrote:
> Does anyone have advice for what sort of questions might be allowable or
> wise to use for password challenge-response in the event someone forgets
> their password? I think recent guidelines have ruled out using your
> mother's maiden name and other old standards.
>
> How have you handled this at your campus?
>
>  
>
> Thanks, Ian