http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspxKeith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked. Congratulations - you've addressedenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#1486201Wed, 30 Jan 2008 02:16:05 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1486201Alun Jones<p>Sounds like a company that needs a little security awareness training.</p> <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1486201" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#1486169Wed, 30 Jan 2008 01:51:26 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1486169Cat <p>Why don&#39;t you just walk over to the security office, show them your photo identity, and get them to reset your password?</p> <p>Because the line of people getting their password reset over there is 4 hours long. &nbsp;</p> <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1486169" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#1325616Sun, 18 Nov 2007 00:41:07 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1325616Garry<p>Some questions pose more serious threats than others, and some can be quite difficult to decipher or crack. There&#39;s a list of good, fair, and poor questions at www.goodsecurityquestions.com along with guidelines to find the better questions.</p> <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1325616" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#100079Thu, 08 Jun 2006 01:39:53 GMTd67277c4-116b-43f1-b688-e9ef184ea916:100079Paul LaudemanKeith Brown states that password &amp;amp;ldquo;security questions are considered dangerous&amp;amp;rdquo; in the context...<img src="http://msmvps.com/aggbug.aspx?PostID=100079" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#96852Thu, 25 May 2006 03:39:50 GMTd67277c4-116b-43f1-b688-e9ef184ea916:96852Alun JonesThe &quot;walk over to the security office&quot; is just an example. It could just as easily be &quot;get two other people in your team to vouch for your identity&quot;, &quot;get your manager to request the password to be reset&quot;, etc, etc - those are examples for an office environment. There are more creative ways to ask for verification of identity. <br>As to being extreme with the concerns, I guess it's going to depend on how many people are going to be inconvenienced by whatever scheme you choose. I never had a favourite sports team, but that's usually the choice I have to make when it's just one out of four questions, because I don't fit a number of other categories, or the answers to the remaining questions are known by too many people.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=96852" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/05/24/96773.aspx#96817Wed, 24 May 2006 21:17:37 GMTd67277c4-116b-43f1-b688-e9ef184ea916:96817BuckyQ. Why don't you just walk over to the security office, show them your photo identity, and get them to reset your password? <br> <br>A. Because that's way too far to walk. <br> <br>Then again, people who know me might be able to guess that one. <br> <br>First off, I agree with your overall intent, I just disagree with your examples. I think you are going a bit extreme with your concerns. There will always be systems where someone can't participate; Iris scanner/lose an eye, fingerprints/burns, etc. The solution is finding a good way to handle the majority while planning for the minority. <br><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=96817" width="1" height="1">