Educause Security Discussion mailing list archives
Re: Password hints
From: Adam Schumacher <adamschumacher () CREIGHTON EDU>
Date: Mon, 15 Dec 2008 13:24:43 -0600
We require the user to pick a question from dropdowns. I've used sites like the aforementioned goodsecurityquestions.com to develop the questions which attempt to ask for specific, unchanging, and yet generally private information. Of course, since I don't trust that process alone, a user also has to set up an alternate email or cellphone number that a OTP gets sent to before they can reset their password. Yay for 2 factor! On 12/12/08 3:26 PM, "Stewart, Ian" <istewart () UMASSP EDU> wrote:
Does anyone have advice for what sort of questions might be allowable or wise to use for password challenge-response in the event someone forgets their password? I think recent guidelines have ruled out using your mother's maiden name and other old standards. How have you handled this at your campus? Thanks, Ian
sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0
Current thread:
- Re: Password hints, (continued)
- Re: Password hints Neil Matatall (Dec 12)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)