Re: Passowrd - User Self Service Resets?

[Rob Tanner <rtanner () LINFIELD EDU>]

We recently implemented self-service reset.  Account creation is also
self-service and we collect several items of verifiable data (against their
student record in Datatel/Colleague) that we consider sufficient to insure
that the requestor is entitled to an account and is who they say they are.
Amongst those data is their mother's maiden name.  We don't have that on
record ahead of time but this gives us a record.

SSNs are not readily available for faculty or staff to look at (except for a
small set of folks) and there's not much you can do if a user loses his
wallet (the identity thief is probably far more interested in using the
credit cards and applying for new credit, etc, than in changing passwords).
Therefore, we require their full social security number and their mother's
maiden name to do self-service.

The code for the self-service app is quit extensive as it's all
interconnected with other parts of accounts management, and I'm not willing
to share that (besides, unless you use Datatel/Colleague, it won't be
terribly helpful).

Our webapps actually reside on a Solaris machine, and are written in Java.
What I am happy to share, if it's what you need, is the java code that
properly encrypts the password prior to writing to AD and handles the LDAP
handshake to reset the password.

-- Rob

--On Monday, March 14, 2005 02:13:36 PM -0500 Dave Koontz <dkoontz () MBC EDU>
wrote:

> We have been asked to explore and evaluate programs which provide users with
> a "Self Service" password reset mechanism via a Web Page.  This is because
> of an increasing number of our students who either forget their passowrds,
> or set their browser to "remember" their password and don't have a clue what
> it is when change time comes, causing more and more work for our helpdesk.
>
> Has anyone written such a Web Program for allowing users to reset their own
> passwords against a Windows 2003 AD Domain that they could share?  Retail
> products seem to be extremely over-priced.  If you have found a reasonably
> priced, well designed retail product please share any details.
>
> Also, it has been suggested that the only information we need to collect
> from a user via a web form to reset their account is the Network UserName,
> College ID Number and the last 4 digits of their social security numbers.
> This concerns me because all the information necessary to reset a password
> is in a users wallet / purse, which of course could be lost.  Also, this
> information is readily available to any of our faculty and staff via our
> Administrative software.  Do anyone of you reset passwords with only this
> data?
>
> Would anyone be willing to share what they belive should be the MININIMUM
> Data collection requirements?  And how do you force users to go though a
> registration process to populate the Password Reset system?  I would like to
> go to management with some 'from the field' reports of what others are
> doing.
>
> Thanks in Advance!
>
> ---
> Dave Koontz
> Associate Director, CIS
> Mary Baldwin College
> Staunton, VA
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.



--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.