Educause Security Discussion mailing list archives
Re: Use of PIN for Self Service Password Reset
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 4 Aug 2016 10:57:13 -0400
Steve, I would recommend against this - in effect you are proposing to create a 4-character password for folks to access their accounts Frank On Wed, Aug 3, 2016 at 5:52 PM, Steve Munson <smunson () marymount edu> wrote:
Thank you for the responses. The PIN I am referring to is for the user to confirm identify so that it "can be used ad-nauseam to reset". Steve On 8/3/16 4:33 PM, Thomas Carter wrote: In a past life in the corporate world, we used base 32 ( https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The downside is communicating this to end users (I.E. the digit 1 will never occur because it’s too similar to the letter “eye” I. Thomas Carter Network & Operations Manager Austin College *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Frank Barton *Sent:* Wednesday, August 3, 2016 7:29 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Use of PIN for Self Service Password Reset One Caveat that I would strongly suggest if you are using an alphanumeric PIN (and I'm not sure if you mean One-Time-Password, or a user set PIN that can be used ad-nauseam to reset) is to avoid the use of confusing characters (Il1oO0) unless you can control the interface in such a way as to make them very clearly distinct (upper case "I" having the top and bottom cross-bars, "0" having a center diagonal, etc) Frank On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu> wrote: We are moving to a use of 4 character PIN for self service password reset and am interested to see what standards others have established for PINs. For example, we are considering setting the PIN requirement to be at least 2 characters and 2 numbers. We are planning to use alphanumeric PIN instead of numeric to provide opportunity for more PIN complexity versus numeric only but interested in feedback/perspective from this group. Regards, Steve Munson Executive Director, IT Services Marymount University Arlington, Virginia -- Frank Barton ACMT IT Systems Administrator Husson University
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- Use of PIN for Self Service Password Reset Steve Munson (Aug 03)
- Re: Use of PIN for Self Service Password Reset Frank Barton (Aug 03)
- Re: Use of PIN for Self Service Password Reset Thomas Carter (Aug 03)
- Re: Use of PIN for Self Service Password Reset Steve Munson (Aug 03)
- Re: Use of PIN for Self Service Password Reset Frank Barton (Aug 04)
- Re: Use of PIN for Self Service Password Reset Thomas Carter (Aug 03)
- Re: Use of PIN for Self Service Password Reset Frank Barton (Aug 03)