Educause Security Discussion mailing list archives
Re: Passowrd - User Self Service Resets?
From: "clementz.7" <clementz.7 () OSU EDU>
Date: Mon, 14 Mar 2005 15:56:10 -0500
We pull data from a wharehouse and do use T1234C as a default password when resetting (1234 being the last four of the SSN). Then when the students log for the first time they are required to change to 6 character min. alpha numberic password. Todd Clementz Systems Administrator Knowlton School of Architecture The Ohio State University ----- Original Message ----- From: "Rich Graves" <rcgraves () BRANDEIS EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Monday, March 14, 2005 3:16 PM Subject: Re: [SECURITY] Passowrd - User Self Service Resets?
On Mon, 14 Mar 2005, Dave Koontz wrote:Also, it has been suggested that the only information we need to collect from a user via a web form to reset their account is the Network UserName, College ID Number and the last 4 digits of their social security numbers. This concerns me because all the information necessary to reset a password is in a users wallet / purse, which of course could be lost. Also, this information is readily available to any of our faculty and staff via our Administrative software. Do anyone of you reset passwords with only this data?I certainly wouldn't. We have a 3 or 4 step process. The code uses perl Net::LDAP, Digest::MD5, and CGI::Carp and could be shared, but it's not very likely to be useful unless you have a good variety of shared secrets in your LDAP or other readily accessible data store. If all you have to go with is numbers printed on your wallet, I think you need to add some process to set/fetch personal challenge questions. The code to actually change a Windows password is easy in any language. Google for "unicodePwd". Our Page 1 asks for username, surname, and birthdate. Upon successful submission of page 1, we email a warning to the account to the effect, "Someone just viewed your security questions; please contact security@brandeis if it wasn't you." Page 2 asks for any of the following that are appropriate: full SSN (our directory store has only an MD5 MAC of SSN, not the cleartext), primary and optional secondary personal challenge question, student peoplesoft emplID, staff emplID, ID card number (our ID cards display random 16-digit ISO numbers that change to something completely different if the card is lost; the actual internal ID numbers is only displayed on bills, checkstubs, etc.). If at least 3 of the questions on Page 2 are answered correctly, then we allow a password change. If only 2 are correct, we ask for alternate phone and email contact, and a sysadmin decides whether to call back and be social engineered. Sensitive accounts (for example, mine) can explicitly opt out of self-service password resets by setting one of their personal challenge questions to "demand photo ID in person." Many sites, such as Google and Yahoo, do an image-based Turing test to defeat brute-force scripts. I don't believe that complies with accessibility requirements. Instead, we log all accesses to step 1 and 2 and only allow 1 attempt per username *or* per IP address per 5 minutes. On-campus users can come to the help desk in person, as always. In order to protect both the user and the help desk, the help desk cannot reset passwords without the answer to at least one challenge question. -- Rich Graves <rcgraves () brandeis edu> UNet Systems Administrator ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Passowrd - User Self Service Resets? Dave Koontz (Mar 14)
- <Possible follow-ups>
- Re: Passowrd - User Self Service Resets? Rob Tanner (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Rich Graves (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? clementz.7 (Mar 14)
- Re: Passowrd - User Self Service Resets? Vicky Walker (Mar 14)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Gary Dobbins (Mar 15)
- Re: Passowrd - User Self Service Resets? Hart, Lee Anne (Mar 15)
- Re: Passowrd - User Self Service Resets? stanislav shalunov (Mar 15)
- Re: Passowrd - User Self Service Resets? Bill Frazier (Mar 15)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)