Educause Security Discussion mailing list archives

Re: Password hints

From: Darren Schell <darren.schell () ULETH CA>
Date: Mon, 15 Dec 2008 14:29:32 -0700

I ran across this site a few months back -- it describes analternative approach that attempts to address the weaknesses ofstandard "secret questions" schemes. They've done some research onthe problem and arrived at a scheme that involves collecting a list ofthings the user likes and dislikes:

http://www.ravenwhite.com/iforgotmypassword.html

You can try out the demo here:
http://blue-moon-authentication.com/

There's also a Google TechTalk on the subject:
http://www.youtube.com/watch?v=pypFzJmgPhg&feature=user

Darren Schell
Information Security Manager
Department of Information Technology
University of Lethbridge

On 12-Dec-08, at 2:26 PM, Stewart, Ian wrote:

Does anyone have advice for what sort of questions might beallowable or wise to use for password challenge-response in theevent someone forgets their password? I think recent guidelines haveruled out using your mother’s maiden name and other old standards.
How have you handled this at your campus?

Thanks, Ian

Attachment: smime.p7s
Description:

Current thread:

Re: Password hints, (continued)
- Re: Password hints Strzelec, Wally (Dec 12)
- Re: Password hints Brian Kaye (Dec 12)
- Re: Password hints Zach Jansen (Dec 12)
- Re: Password hints Russell Fulton (Dec 14)
- Re: Password hints Wayne Samardzich (Dec 14)
- Re: Password hints Brian Kaye (Dec 14)
- Re: Password hints Roger Safian (Dec 15)
- Re: Password hints Gary Flynn (Dec 15)
- Re: Password hints Cal Frye (Dec 15)
- Re: Password hints Adam Schumacher (Dec 15)
- Re: Password hints Darren Schell (Dec 15)