Educause Security Discussion mailing list archives

Re: Password hints

From: Adam Schumacher <adamschumacher () CREIGHTON EDU>
Date: Mon, 15 Dec 2008 13:24:43 -0600

We require the user to pick a question from dropdowns.  I've used sites like
the aforementioned goodsecurityquestions.com to develop the questions which
attempt to ask for specific, unchanging, and yet generally private
information.  Of course, since I don't trust that process alone, a user also
has to set up an alternate email or cellphone number that a OTP gets sent to
before they can reset their password.  Yay for 2 factor!


On 12/12/08 3:26 PM, "Stewart, Ian" <istewart () UMASSP EDU> wrote:

Does anyone have advice for what sort of questions might be allowable or
wise to use for password challenge-response in the event someone forgets
their password? I think recent guidelines have ruled out using your
mother's maiden name and other old standards.

How have you handled this at your campus?



Thanks, Ian


sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Current thread:

Re: Password hints, (continued)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)