Re: Password Self-Service software

[jack suess <jack () UMBC EDU>]

On Feb 17, 2009, at 11:27 AM, Gary Dobbins wrote:

> There's also the accompanying challenge of convincing current
> accountholders to take the time to register themselves with this
> service.
>
> The one you mention below is quite clever, but one thing these
> schemes all have in common is the user has to actually visit them
> *before* they need the service (and to not be in such a hurry that
> they can give due care to their answer choices).
>
> Having it be part of new-account activation is not as hard, but how
> are schools adding these to existing systems, and inspiring the user
> base to register themselves?

What we are planning to do is try to tie this to our emergency
notification system that we ask people to update annually. For many
people this is something they want to be involved in and it allows us
to capture and verify their emergency contact number. We use that
information to send the user a "text message", if they opt-ed for
this, whenever their password gets reset as an out of bound security
notice as a text message.

The other feature we have done in designing our password reset process
is use a cookie that we put on their machine when they have
successfully logged in. If the machine has that cookie we have a
simpler process for getting your password reset than if you don't
(less questions you have to answer). In fact, for certain levels of
assurance you might not be able to get your password reset without
being on a machine that has a cookie demonstrating a past valid login
for that user ( I should note our computer labs have roaming profiles
so users can't see other people's cookies).  What is nice with this is
that you can decide based on IP address (on-campus or off, U.S or
international) whether you will allow a password reset from a machine
that has never successfully logged in.


jack suess



> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ] On Behalf Of Chancellor, Beth C.
> Sent: Tuesday, February 17, 2009 11:07 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Self-Service software
>
> I have been particularly enamored with something that gets away from
> the user typing in answers to questions.  While our institution is
> not even close to using this or something similar, I thought I'd
> throw it out there.  This type of reset application seems to have
> lots of benefits including eliminating key logging as a problem.
>
> http://www.ravenwhite.com/iforgotmypassword.html
>
> Beth
>
>
>
> Beth Chancellor
> Chief Information Security Officer
> University of Missouri
> (573)882-3503
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ] On Behalf Of Greg Francis
> Sent: Tuesday, February 10, 2009 3:18 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Password Self-Service software
>
> Hello,
>
> We're wanting to implement a password self-service site for our users.
> I'm wondering what others are using. We're using AD for our back-end
> authentication. We have about 7500 students and employees and about
> 20,000 alumni accounts which receive relatively casual use.
>
> Here are the things that we're looking for:
>
> 1) Reset password using some sort of question/answer module
> 2) Allow pre-population of questions/answers would be desirable
> 3) Being able to send a one-time, expiring, password would be nice
> 4) Logging, logging, logging
> 5) We'll likely develop our own account provisioning but would like it
> to tie into this system for initial password connectivity
> 6) Enforcement of password rules
> 7) Notification to users when their password is about to expire
>
> I've been looking at Password Manager from Quest but would like to
> hear suggestions from others.
>
> Thanks,
> Greg
>
> Greg Francis
> Director, Central Computing and Network Support Services
> Information Technology Services
> Gonzaga University
> 509-313-6896
> francis () gonzaga edu