Good morning; I am interested in getting a feel for what types of questions different organizations use for 'password reset questions' which allow a user to reset a password for themselves. I feel reset questions should be something users would not easily be socially engineered out of (i.e. the last 4 digits of their social security number). I am looking for some precidence that I can take to the management of my organization and make it policy. Thanks! Bill

Good practice is not to allow any dictionary words or words followed by a string of numbers: PASSWORD1, PASSWORD001, etc, are right out. A1l2t3r4n5t6i7n8g letters and numbers works pretty well, although you don't want something as simple as this numerical sequence, nor anything with your Social Security Number, phone number, house number, etc., in it. There are a number of online password crackers you can use to check users' passwords to make sure they aren't easy to crack.

Here is another good practice that may shock the management of your organization. In this article, M$ security guru said that companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems. i_XpUser

It looks like the previous respondents didn't actually answer the question that had been asked. Some examples of password self service reset questions are: City (town, village) where you were born Father's middle name Favorite (or least favorite) food Favorite (or dream) vacation location Make/model of your first car Name of the hospital where you were born Name of your first pet