Re: Challenge/response questions?

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

We use security questions plus having access to a secondary email account or
cellphone capable of receiving text messages to reset passwords.  We provide
15 possible questions to choose from, of which they must select three (and
answer a random selection of 2).

Best practices for questions would involve things that aren't likely to
change over time (excludes "whats your favorite _____?" type questions),
things that aren't too easy to guess or find out, and have high entropy
(lots of possible answers).

Some examples of decent questions might include:
What is your oldest sibling's birthday?
What is the address of the first house you lived in?
What hospital where you born at?
What was the color of your first car?
What was the make/model of your first car?


On 4/10/09 12:57 PM, "Witmer, Robert" <r.witmer () SNHU EDU> wrote:

> There must be a better way!  We have a customized single sign on solution and
> are looking at self service password resets from a web page.  Everything after
> authentication has been worked out.  Currently we are thinking of using
> challenge/response type questions to verify account ownership.  However,
> either most of the information is available on line (mother's maiden name =
> genealogy sites) or includes personally identifying information (SSN last 4)
> that we don't collect and don't want to use.
>
> Anyone have a better idea?  If not, anyone have better challenge/response
> questions?
>
> Regards,
> Bob

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: