Educause Security Discussion mailing list archives
Re: Password hints
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 15 Dec 2008 11:34:53 -0500
Roger Safian wrote:
At 05:57 PM 12/12/2008, Brian Kaye put fingers to keyboard and wrote:Why not allow them to create their own challenge question with some appropriate scan of the question and answer?FWIW, in our case, we wanted to create a system that the users could use online. If you allow users to create their own questions, and you want a self remediation online access, then they need to answer their question exactly the same. It doesn't always work that way, since people forget things like capitalization, etc.
We've been contemplating a system that converts everything to lower case and strips whitespace. As for user chosen questions and answers, they MUST be supplemented with other information ( e.g. org chosen questions, org data, external e-mail address account password ). Otherwise some percentage will: 1) Choose questions with a limited range of possible answers: What color is my favorite sweater? 2) Choose questions whose answers are available on their MySpace/Facebook page. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Password hints Stewart, Ian (Dec 12)
- <Possible follow-ups>
- Re: Password hints Jason C. Belford (Dec 12)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)