Non-Exhaustive Initial Survey of Sites Implementing Question Based
Identity Recovery
- Brandeis
User must provide answer to "Unforgettable Question" and present
photo ID in person to select a new password.
http://www.brandeis.edu/its/computerhelp/hotquestions/passwords.html
- City National Bank, California
User answers at least two questions from this set:
- City of birth
- Grandparent's first name
- Mother's maiden name
- Pet's name
- Social security number
- Custom question and answer
In the event of a forgotten password, the user must answer exactly
only the questions originally selected.
http://www.cityntl.com/
- estrong.com
User answers a question established during registration.
http://www.estrong.com/strongweb/myStrong_guest2/profile/security/resetpassindex.jsp
- Georgetown University (Alumni)
User provides a secret question and answer. If forgotten, a phone
call is requred.
http://alumni.georgetown.edu/site/PageServer?pagename=help_netid
http://www.educause.edu/awards/epit/2000/hoyas.html
- insecure.org discussion list
Some relevant thoughts on secret quetions:
http://lists.insecure.org/lists/webappsec/2002/Oct-Dec/0015.html
- Indiana University
User selects two questions from a predetermined set, creates two
additional questions of their own choosing, and must answer all
four every time they change their password.
A single failed attempt will invalidate the current password forcing
the user to visit the help desk to create a valid password.
http://www.indiana.edu/~iudata/policyoffice/20quesdisplaychar.htm
- James Madison University
User creates a secret question and answer. When they forget their
password they have to give their e-ID and birthdate before they are
prompted with the secret question.
http://cob.jmu.edu/grunewlh/Email_Password_Reset_Secret_Question.html
- Louisiana State Government
User provides one personal question and answer or must answer five
randomly selected questions.
http://www.state.la.us/isis/ess/ESS_FAQS.htm
- Northeastern
User answers a challenge question if established, or may use a PIN
if the PIN has not been previously used.
http://www.nuway.neu.edu/login_help.html
- Northwestern
User provides one question and answer. In the event of a forgotten
password, the question must be answered to an accounts person (ie:
no automatic mechanism). If the question or answer is deemed
objectionable, the accounts person may refuse to help.
http://snap.it.northwestern.edu/reset.html
- Oklahoma State
User provides an answer to a selected challenge phrase.
http://home.okstate.edu/prism
- Seagate Technology LLC
To change password user must answer one of these questions:
What is your city of birth?
What is your pet's name?
What was your last school attended?
The user must remember which question is on file and answers are
limited to 30 characters.
https://partnerreg.seagate.com/pppm/reset_password.jsp
- Sentara Healthcare
To change password user must answer one of these questions:
What is your mother's maiden name?
What is your pet's name?
What is your wedding anniversary?
What elementary school did you attend?
The user must remember which question is on file.
https://mdoffice.sentara.com/unsecured/resetpassword.asp
- University of Missouri -- Kansas City
User selects 3 personal questions and provides answers.
http://www.umkc.edu/exchange-faq/password_reset_page.htm
- MSN Hotmail
Prompts with secret question after user enters their correct zip
code. But users outside the U.S. can skip the zip code question
and go directly to the secret question, which can be anything
such as "How are you?".
http://www.securityfocus.com/archive/1/294565/2002-10-06/2002-10-12/0
- University of Washington
http://staff.washington.edu/rlmorgan/misc/qna-password-reset
User selects three or more questions out of six existing and one
free form. A measurable number of people don't read the instructions,
and others insert questions like "My password is xxx".
- UPS: United Parcel Service
User creates a secret question and answer.
http://www.ups.com/using/custserv/techfaq/ims_faq.html
- yodlee.com
User answers at least 2 questions to enable the recovery service.
To recover, the user must type in exactly the answers to the exact
questions initially selected.
http://www.yodlee.com/help/preferences.html
- zwallet.com
User must provide both personal information and the answer to the
secret question that the user selected.
- chase.com
- In what city was your first elementary school?
- In what city were you living at age 14?
- What is the middle name of your youngest sibling?
- What is the last name of your first grade teacher?
- In what city were you at the turn of the millenium?
- What is your pet's name?
Additionally, it appears that the University of Maryland Baltimore County was going to implement
something, but it is unclear if they did.
PC Guardian makes
desktop software for Window logon that requires the creation of two
question/answer pairs to recover the user's password.