Educause Security Discussion mailing list archives

Re: Password hints

From: Brian Kaye <bdk () UNB CA>
Date: Sun, 14 Dec 2008 18:25:43 -0400

On Mon, 15 Dec 2008, Russell Fulton wrote:

Date: Mon, 15 Dec 2008 07:54:55 +1300
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
    <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password hints


On 13/12/2008, at 12:57 PM, Brian Kaye wrote:

Why not allow them to create their own challenge question with some
appropriate scan of the question and answer?


the later is the difficult bit.   How do you stop people including the
password in the question?

Russell


A comparision of the text at the time the question is set would eliminate
the clear text answers. You might do any of a bunch of matches to
invalidate a question. Any answer that is encoded in the question by some
alorithm only the owner knows might suffice. Certainly better than the
maiden name/ fovorite colour questions.


.....Brian

Current thread:

Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)