Educause Security Discussion mailing list archives
Re: Passowrd - User Self Service Resets?
From: "Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU>
Date: Tue, 15 Mar 2005 12:46:12 -0500
We're addressing a similar issue as well for an implementation of SCT's Luminis system which contains the ability for self service password resets. SCT Luminis is a web portal to our Banner system which contains student and employee information. We've uncovered a potential issue that no one seems to have mentioned yet: since this is a system that holds student educational records which are covered by FERPA, doesn't due diligence require that we make sure that any password reset system doesn't rely on information certain to be known by parents, relatives or other persons besides the student? It would seem that this would rule out questions like place of birth, mother's maiden name, and similar biographic or demographic data. Since this is a compliance issue, we've asked our management to solicit an opinion from our General Counsel. Has anyone already been down this path to the point of receiving informed advice? In the meantime, we've developed a set of questions which sidesteps the issue. The questions are below: 1. What is your favorite color? 2. What is your favorite food? 3. What is your favorite animal? 4. What is your favorite book? 5. Where would you go on your dream vacation? 6. What is your favorite place to visit? 7. What is your favorite holiday? After the new system is implemented, all users must answer the questions at their first login. When a user needs to do a self service password reset, they will be asked to answer three of the seven questions correctly - the questions are randomly selected. Thanks, Lee Anne Hart IT Security Analyst Montgomery College Rockville, MD -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz Sent: Monday, March 14, 2005 2:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Passowrd - User Self Service Resets? We have been asked to explore and evaluate programs which provide users with a "Self Service" password reset mechanism via a Web Page. This is because of an increasing number of our students who either forget their passowrds, or set their browser to "remember" their password and don't have a clue what it is when change time comes, causing more and more work for our helpdesk. Has anyone written such a Web Program for allowing users to reset their own passwords against a Windows 2003 AD Domain that they could share? Retail products seem to be extremely over-priced. If you have found a reasonably priced, well designed retail product please share any details. Also, it has been suggested that the only information we need to collect from a user via a web form to reset their account is the Network UserName, College ID Number and the last 4 digits of their social security numbers. This concerns me because all the information necessary to reset a password is in a users wallet / purse, which of course could be lost. Also, this information is readily available to any of our faculty and staff via our Administrative software. Do anyone of you reset passwords with only this data? Would anyone be willing to share what they belive should be the MININIMUM Data collection requirements? And how do you force users to go though a registration process to populate the Password Reset system? I would like to go to management with some 'from the field' reports of what others are doing. Thanks in Advance! --- Dave Koontz Associate Director, CIS Mary Baldwin College Staunton, VA ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Passowrd - User Self Service Resets? Dave Koontz (Mar 14)
- <Possible follow-ups>
- Re: Passowrd - User Self Service Resets? Rob Tanner (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Rich Graves (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? clementz.7 (Mar 14)
- Re: Passowrd - User Self Service Resets? Vicky Walker (Mar 14)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Gary Dobbins (Mar 15)
- Re: Passowrd - User Self Service Resets? Hart, Lee Anne (Mar 15)
- Re: Passowrd - User Self Service Resets? stanislav shalunov (Mar 15)
- Re: Passowrd - User Self Service Resets? Bill Frazier (Mar 15)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)