Re: Passowrd - User Self Service Resets?

["Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU>]

We're addressing a similar issue as well for an implementation of SCT's
Luminis system which contains the ability for self service password
resets. SCT Luminis is a web portal to our Banner system which contains
student and employee information. We've uncovered a potential issue that
no one seems to have mentioned yet: since this is a system that holds
student educational records which are covered by FERPA, doesn't due
diligence require that we make sure that any password reset system
doesn't rely on information certain to be known by parents, relatives or
other persons besides the student?  It would seem that this would rule
out questions like place of birth, mother's maiden name, and similar
biographic or demographic data.

Since this is a compliance issue, we've asked our management to solicit
an opinion from our General Counsel.  Has anyone already been down this
path to the point of receiving informed advice?

In the meantime, we've developed a set of questions which sidesteps the
issue.  The questions are below:

1. What is your favorite color?
2. What is your favorite food?
3. What is your favorite animal?
4. What is your favorite book?
5. Where would you go on your dream vacation?
6. What is your favorite place to visit?
7. What is your favorite holiday? 

After the new system is implemented, all users must answer the questions
at their first login. When a user needs to do a self service password
reset, they will be asked to answer three of the seven questions
correctly - the questions are randomly selected. Thanks,

Lee Anne Hart
IT Security Analyst
Montgomery College
Rockville, MD

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz
Sent: Monday, March 14, 2005 2:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Passowrd - User Self Service Resets?

We have been asked to explore and evaluate programs which provide users
with a "Self Service" password reset mechanism via a Web Page.  This is
because of an increasing number of our students who either forget their
passowrds, or set their browser to "remember" their password and don't
have a clue what it is when change time comes, causing more and more
work for our helpdesk.

Has anyone written such a Web Program for allowing users to reset their
own passwords against a Windows 2003 AD Domain that they could share?
Retail products seem to be extremely over-priced.  If you have found a
reasonably priced, well designed retail product please share any
details.

Also, it has been suggested that the only information we need to collect
from a user via a web form to reset their account is the Network
UserName, College ID Number and the last 4 digits of their social
security numbers.
This concerns me because all the information necessary to reset a
password is in a users wallet / purse, which of course could be lost.
Also, this information is readily available to any of our faculty and
staff via our Administrative software.  Do anyone of you reset passwords
with only this data?

Would anyone be willing to share what they belive should be the
MININIMUM Data collection requirements?  And how do you force users to
go though a registration process to populate the Password Reset system?
I would like to go to management with some 'from the field' reports of
what others are doing.

Thanks in Advance!

---
Dave Koontz
Associate Director, CIS
Mary Baldwin College
Staunton, VA

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.