Re: Passowrd - User Self Service Resets?

["clementz.7" <clementz.7 () OSU EDU>]

We pull data from a wharehouse and do use T1234C as a default password when
resetting (1234 being the last four of the SSN).  Then when the students log
for the first time they are required to change to 6 character min.  alpha
numberic password.

Todd Clementz
Systems Administrator
Knowlton School of Architecture
The Ohio State University

----- Original Message -----
From: "Rich Graves" <rcgraves () BRANDEIS EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Monday, March 14, 2005 3:16 PM
Subject: Re: [SECURITY] Passowrd - User Self Service Resets?


> On Mon, 14 Mar 2005, Dave Koontz wrote:
> > Also, it has been suggested that the only information we need to collect
> > from a user via a web form to reset their account is the Network
> > UserName,
> > College ID Number and the last 4 digits of their social security numbers.
> > This concerns me because all the information necessary to reset a
> > password
> > is in a users wallet / purse, which of course could be lost.  Also, this
> > information is readily available to any of our faculty and staff via our
> > Administrative software.  Do anyone of you reset passwords with only this
> > data?
>
> I certainly wouldn't.
>
> We have a 3 or 4 step process. The code uses perl Net::LDAP, Digest::MD5,
> and CGI::Carp and could be shared, but it's not very likely to be useful
> unless you have a good variety of shared secrets in your LDAP or other
> readily accessible data store. If all you have to go with is numbers
> printed on your wallet, I think you need to add some process to set/fetch
> personal challenge questions.
>
> The code to actually change a Windows password is easy in any language.
> Google for "unicodePwd".
>
> Our Page 1 asks for username, surname, and birthdate. Upon successful
> submission of page 1, we email a warning to the account to the effect,
> "Someone just viewed your security questions; please contact
> security@brandeis if it wasn't you."
>
> Page 2 asks for any of the following that are appropriate: full SSN (our
> directory store has only an MD5 MAC of SSN, not the cleartext), primary
> and
> optional secondary personal challenge question, student peoplesoft emplID,
> staff emplID, ID card number (our ID cards display random 16-digit ISO
> numbers that change to something completely different if the card is lost;
> the actual internal ID numbers is only displayed on bills, checkstubs,
> etc.).
>
> If at least 3 of the questions on Page 2 are answered correctly, then we
> allow a password change. If only 2 are correct, we ask for alternate phone
> and email contact, and a sysadmin decides whether to call back and be
> social engineered.
>
> Sensitive accounts (for example, mine) can explicitly opt out of
> self-service password resets by setting one of their personal challenge
> questions to "demand photo ID in person."
>
> Many sites, such as Google and Yahoo, do an image-based Turing test to
> defeat brute-force scripts. I don't believe that complies with
> accessibility requirements. Instead, we log all accesses to step 1 and 2
> and only allow 1 attempt per username *or* per IP address per 5 minutes.
>
> On-campus users can come to the help desk in person, as always. In order
> to
> protect both the user and the help desk, the help desk cannot reset
> passwords without the answer to at least one challenge question.
> --
> Rich Graves <rcgraves () brandeis edu>
> UNet Systems Administrator
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.