Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passowrd - User Self Service Resets?

From: Vicky Walker <Vwalker () UNT EDU>
Date: Mon, 14 Mar 2005 15:30:59 -0600
Our users are required to select a secret question and enter an answer when activating their accounts.  When reseting 
their password, we present the secret question to them and they must answer it correctly plus provide DOB and SSN.  If 
they do not remember the answer, they must contact our HelpDesk for assistance.


Vicky Walker-Brooks
EIS Security Team Lead
UNT, Computing and IT Center
940-565-3376
vwalker () unt edu

**********************************************************                                                              
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                  
Nobody, but nobody can make it out here alone.      
                         Maya Angelou
**********************************************************

dkoontz () MBC EDU 03/14/05 1:13 PM >>>

We have been asked to explore and evaluate programs which provide users with
a "Self Service" password reset mechanism via a Web Page.  This is because
of an increasing number of our students who either forget their passowrds,
or set their browser to "remember" their password and don't have a clue what
it is when change time comes, causing more and more work for our helpdesk.

Has anyone written such a Web Program for allowing users to reset their own
passwords against a Windows 2003 AD Domain that they could share?  Retail
products seem to be extremely over-priced.  If you have found a reasonably
priced, well designed retail product please share any details.

Also, it has been suggested that the only information we need to collect
from a user via a web form to reset their account is the Network UserName,
College ID Number and the last 4 digits of their social security numbers.
This concerns me because all the information necessary to reset a password
is in a users wallet / purse, which of course could be lost.  Also, this
information is readily available to any of our faculty and staff via our
Administrative software.  Do anyone of you reset passwords with only this
data?

Would anyone be willing to share what they belive should be the MININIMUM
Data collection requirements?  And how do you force users to go though a
registration process to populate the Password Reset system?  I would like to
go to management with some 'from the field' reports of what others are
doing.

Thanks in Advance!

---
Dave Koontz
Associate Director, CIS
Mary Baldwin College
Staunton, VA

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: