Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Tue, 14 Apr 2009 21:24:37 -0500
How close does something like: wmic useraccount where "domain=foobar" come to getting what you want? -ken Leon DuPree wrote:
Does anyone have sample script for Active Directory that would list users and rights? Be great if I could get some kind of error handling with it in case it does not work on a server. Let me know if you have any questions why? (I am not interested in rinventing the wheel :) Leon DuPree University of Michigan LSA Intern On Mon, Apr 13, 2009 at 12:23 PM, Schumacher, Adam J <ADAMSCHUMACHER () creighton edu <mailto:ADAMSCHUMACHER () creighton edu>> wrote: We use security questions plus having access to a secondary email account or cellphone capable of receiving text messages to reset passwords. We provide 15 possible questions to choose from, of which they must select three (and answer a random selection of 2). Best practices for questions would involve things that aren't likely to change over time (excludes "whats your favorite _____?" type questions), things that aren't too easy to guess or find out, and have high entropy (lots of possible answers). Some examples of decent questions might include: What is your oldest sibling's birthday? What is the address of the first house you lived in? What hospital where you born at? What was the color of your first car? What was the make/model of your first car? On 4/10/09 12:57 PM, "Witmer, Robert" <r.witmer () SNHU EDU <mailto:r.witmer () SNHU EDU>> wrote: > There must be a better way! We have a customized single sign on solution and > are looking at self service password resets from a web page. Everything after > authentication has been worked out. Currently we are thinking of using > challenge/response type questions to verify account ownership. However, > either most of the information is available on line (mother's maiden name = > genealogy sites) or includes personally identifying information (SSN last 4) > that we don't collect and don't want to use. > > Anyone have a better idea? If not, anyone have better challenge/response > questions? > > Regards, > Bob sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0 -- EIM Consulting PO Box 320822 Flint Township, MI 48532 Leon DuPree B.S MBA Chief Security Consultant Phone: 810-569-6427 Fax: 270- 447-3872
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)