Educause Security Discussion mailing list archives
Re: Password resets
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Tue, 1 Aug 2017 20:12:48 +0000
We modify this a little. - We do have a SSPR tool that we make students setup during orientation week (the SSPR is part of our SSO). - A password reset may be initiated by email, or ticket, but they only may continue after we call the person back on their primary phone number in the ERP. If a call initiates this, we verify the phone number used vs the ERP. - We verify 3 of 6 different designated fields from our ERP, before setting somebody’s password (phone number used is usually one of those fields). - Our levels are – Level 1 – Students - All tech personnel. Level 2 – Employees may only be reset by full-time tech personnel (leaves out student workers) Level 3 – Any special accounts, or management only can be done by network staff Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Wasson Sent: Tuesday, August 01, 2017 3:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password resets 1. We allow password reset requests via telephone 2. Individuals are required to confirm 3 pieces of individual identifying information. 3. We have 3 levels of password reset permission. * Level 1 - Employees that deal directly with students (registration, financial aid, records, advising, etc) have the ability to change student passwords, but not employee passwords. * Level 2 - Employee passwords can only be changed by help desk personnel or IT staff. * Level 3 - IT staff passwords can only be changed by other IT staff members. 1. Temp passwords are verbally given if the individual is on the phone. Dan Dan Wasson Director Systems & LAN Management Northwestern Michigan College 231-995-1164 dwasson () nmc edu<mailto:dwasson () nmc edu> Don't be a scam victim - NMC and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. On Tue, Aug 1, 2017 at 10:22 AM, McClenon, Brady <Brady.McClenon () oneonta edu<mailto:Brady.McClenon () oneonta edu>> wrote: I’m curious as to how other institutions handle user password resets when self-service mechanisms fail or options are exhausted. Specific questions I have are: 1. Do you allow reset requests over the phone, or require they be done in person? 2. How do you verify identity over the phone or in person? 3. Who at your institution is empowered to perform password resets? 4. How do you deliver the new/temp password to the user? Thanks, Brady McClenon IT Security Administrator ITS – IT Security SUNY Oneonta This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Current thread:
- Password resets McClenon, Brady (Aug 01)
- Re: Password resets Dan Wasson (Aug 01)
- Re: Password resets Barton, Robert W. (Aug 01)
- Re: Password resets Dan Wasson (Aug 01)