Educause Security Discussion mailing list archives

Re: Passowrd - User Self Service Resets?

From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 15 Mar 2005 08:18:47 -0500

We offer a self-serve reset feature based on a set of pre-established
shared secrets (the user must "subscribe" to the service sometime before
they need it).  The user can select three open-ended questions, one from
each of three lists, and supply their answers which are hashed.  Later, if
they resupply the correct answers they're allowed to choose a new password.

It's built atop our enterprise directory (LDAP), but the password-change is
then propagated into our MIT Kerberos realm and into the Active Directory
domain.

Dave Koontz wrote:

We have been asked to explore and evaluate programs which provide users with
a "Self Service" password reset mechanism via a Web Page. This is because
of an increasing number of our students who either forget their passowrds,
or set their browser to "remember" their password and don't have a clue what
it is when change time comes, causing more and more work for our helpdesk.

Has anyone written such a Web Program for allowing users to reset their own
passwords against a Windows 2003 AD Domain that they could share? Retail
products seem to be extremely over-priced. If you have found a reasonably
priced, well designed retail product please share any details.

Also, it has been suggested that the only information we need to collect
from a user via a web form to reset their account is the Network UserName,
College ID Number and the last 4 digits of their social security numbers.
This concerns me because all the information necessary to reset a password
is in a users wallet / purse, which of course could be lost. Also, this
information is readily available to any of our faculty and staff via our
Administrative software. Do anyone of you reset passwords with only this
data?

Would anyone be willing to share what they belive should be the MININIMUM
Data collection requirements? And how do you force users to go though a
registration process to populate the Password Reset system? I would like to
go to management with some 'from the field' reports of what others are
doing.

Thanks in Advance!

---
Dave Koontz
Associate Director, CIS
Mary Baldwin College
Staunton, VA

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.


--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Passowrd - User Self Service Resets? Dave Koontz (Mar 14)
- <Possible follow-ups>
- Re: Passowrd - User Self Service Resets? Rob Tanner (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Rich Graves (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? clementz.7 (Mar 14)
- Re: Passowrd - User Self Service Resets? Vicky Walker (Mar 14)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Gary Dobbins (Mar 15)
- Re: Passowrd - User Self Service Resets? Hart, Lee Anne (Mar 15)
- Re: Passowrd - User Self Service Resets? stanislav shalunov (Mar 15)
- Re: Passowrd - User Self Service Resets? Bill Frazier (Mar 15)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)