Re: Use of PIN for Self Service Password Reset

[Thomas Carter <tcarter () AUSTINCOLLEGE EDU>]

In a past life in the corporate world, we used base 32 (https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The 
downside is communicating this to end users (I.E. the digit 1 will never occur because it’s too similar to the letter 
“eye” I.

Thomas Carter
Network & Operations Manager
Austin College

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Wednesday, August 3, 2016 7:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Use of PIN for Self Service Password Reset

One Caveat that I would strongly suggest if you are using an alphanumeric PIN (and I'm not sure if you mean 
One-Time-Password, or a user set PIN that can be used ad-nauseam to reset) is to avoid the use of confusing characters 
(Il1oO0) unless you can control the interface in such a way as to make them very clearly distinct (upper case "I" 
having the top and bottom cross-bars, "0" having a center diagonal, etc)

Frank

On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu<mailto:smunson () marymount edu>> wrote:
We are moving to a use of 4 character PIN for self service password reset and am interested to see what standards 
others have established for PINs. For example, we are considering setting the PIN requirement to be at least 2 
characters and 2 numbers. We are planning to use alphanumeric PIN instead of numeric to provide opportunity for more 
PIN complexity versus numeric only but interested in feedback/perspective from this group.


Regards,

Steve Munson


Executive Director, IT Services

Marymount University

Arlington, Virginia



--
Frank Barton
ACMT
IT Systems Administrator
Husson University