Educause Security Discussion mailing list archives
Re: Password change procedures
From: Quentin L McCallum <mccalluq () LCC EDU>
Date: Fri, 2 May 2014 18:43:43 +0000
We built our own. We control the security questions. The user "claims" their account; sets up either a non-LCC email or a set of security questions. The question/answer is weighted so if the person selects a question easy to found the weight is low. They are prompted for more questions. "Good" security questions mean less number of question/answer. One nice feature that the team built in was a password strength calculator. Goes from red over to green as the person exceeds our minimums. Thanks, Quentin L. McCallum, CISSP, ITIL-F, GCFE Information Security Analyst Lansing Community College 517-267-5014 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly Sent: Friday, May 02, 2014 2:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password change procedures We have used security questions for self-service password reset for several years. When we started with that, I had high hopes that our process would work well. It doesn't. We will soon be rolling out a new scheme that requires the user to signup (while authenticated to our portal) with an SMS-capable phone number or a non-UNI email address. When the user forgets or otherwise needs a password reset, they provide either their username or university ID number and a code is sent to the previously-registered destination that will allow them to create a new password for their account. - ken On 5/2/14, 1:12 PM, Roger A Safian wrote:
We were able to use our own security questions. We tried to make them a little less easier to search for, but, with a young population I still have this concern. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dennis Levine *Sent:* Friday, May 2, 2014 12:49 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Password change procedures Hi Everyone, I'm wondering if I could get some feedback as to how you have your schools procedures set up to change a user's password. Not when or how long it should be, ( we already beat that to death in the last thread with the Heartbleed bug) I'm talking about do you have a web based user self-portal that allows someone to enter name and ID number, answer a security question or two to get to a password change screen if they forgot their password. If so, did you get push back because of the security questions that may have been asked such as "pick an address you may have lived at" or "what is your mother's maiden name" etc. and all the wonderful problems that come with FERPA or PII info? Do you do it another way? Thanks, Dennis Levine *Dennis Levine *|**Network and Security Administrator | 120 Boylston Street Boston, MA 02116-4624 | (617) 824-8972 | Dennis_Levine () emerson edu <https://urldefense.proofpoint.com/v1/url?u=http://mailto:Dennis_Levin e%40emerson.edu&k=l8X370NuK2YPwmDgp3pt%2BA%3D%3D%0A&r=U4W1fO6l%2Bw0ACd 8ZT7mJOIOlBbVZ0JL8g85O1dW5RAY%3D%0A&m=JlUgS4L88e2gDWoEMgJYye4kTXAo4Ztm t5c2TKRLrJk%3D%0A&s=2fc44af654ead7b55074c81efb42d4be5eae722d96124a8a02 632c0bd37f34ca> | www.emerson.edu <https://urldefense.proofpoint.com/v1/url?u=http://www.emerson.edu&k=l 8X370NuK2YPwmDgp3pt%2BA%3D%3D%0A&r=U4W1fO6l%2Bw0ACd8ZT7mJOIOlBbVZ0JL8g 85O1dW5RAY%3D%0A&m=JlUgS4L88e2gDWoEMgJYye4kTXAo4Ztmt5c2TKRLrJk%3D%0A&s =7b700b37ec078f5175c5f4f7715131175d92f0f5957157e4fc3a36873cf64a72> emerson
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- Password change procedures Dennis Levine (May 02)
- Re: Password change procedures David Curry (May 02)
- Re: Password change procedures Roger A Safian (May 02)
- Re: Password change procedures Ken Connelly (May 02)
- Re: Password change procedures Quentin L McCallum (May 02)
- Re: Password change procedures Ken Connelly (May 02)