Educause Security Discussion mailing list archives
Re: Self-Service Password Reset Practices
From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Mon, 25 Jul 2005 14:49:44 -0400
I would recomend that you steer away from the SSN in your reset requirements. I can certainly see how that could be used for phishing. Thanks, Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University 478.445.4473 Office 478.454.8250 Cell 478.445.1202 Fax _____ From: Russ Wade [mailto:Russ.Wade () WICHITA EDU] Sent: Monday, July 25, 2005 2:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Self-Service Password Reset Practices Hello, We at Wichita State University are in the early stages of implementing an Identity Management system. We will use a single sign-on to authenticate access to multiple applications. This will include, in part, SCT Banner for back office and student use. Our email system will use this same sign-on and be equally affected by lockouts and password changes. We are using strong passwords and anticipate a high volume of password reset requests. We are interested in ways others have found practical and secure for a self-service password reset function. We are considering requiring the following information for password resets: First Name Last Name SSN Date of Birth Current Mailing Zip Code We would send an email notification to individuals when their password is reset, but their first indication of an intruder password reset would be the inability to log on. Is this generally considered sufficient or do most institutions include some additional form of security, such as a challenge question? Thanks, Russ Russ Wade, SCT Banner Security Specialist Wichita State University University Computing and Telecommunications Services 1845 Fairmount Wichita, KS 67260-0098 Email: Russ.Wade () Wichita edu Office: (316) 978-3859 Mobile: (316) 312-0185 Fax: (316) 978-3894
Current thread:
- Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)