Educause Security Discussion mailing list archives

Re: Password hints

From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 15 Dec 2008 11:34:53 -0500

Roger Safian wrote:

At 05:57 PM 12/12/2008, Brian Kaye put fingers to keyboard and wrote:

Why not allow them to create their own challenge question with some
appropriate scan of the question and answer?


FWIW, in our case, we wanted to create a system that the users
could use online.  If you allow users to create their own questions,
and you want a self remediation online access, then they need to
answer their question exactly the same.  It doesn't always work that
way, since people forget things like capitalization, etc.



We've been contemplating a system that converts everything to
lower case and strips whitespace.

As for user chosen questions and answers, they MUST be supplemented
with other information ( e.g. org chosen questions, org data, external
e-mail address account password ). Otherwise some percentage will:

1) Choose questions with a limited range of possible answers:
   What color is my favorite sweater?

2) Choose questions whose answers are available on their
   MySpace/Facebook page.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)