Re: Password - User Self Service Resets?

[Dave Koontz <dkoontz () MBC EDU>]

Thanks to one and all for the EXCELLENT feedback to this question.  I now
have enough information to inform management what other campuses are doing,
and the potential legal and security ramifications involved.

  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jimmy L. Fikes
Sent: Wednesday, March 16, 2005 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password - User Self Service Resets?



We are implementing applications for user-management of network & e-mail
accounts. Our WAN stretches over six states. Not only does this complicate
security but it also requires that we keep up with various laws controlling
use of SSN in each of the states. We are proceeding as if legislation will
soon prohibit the use of SSN - so we are not using SSN for any
administrative reference to persons. We have unique ID numbers for each
person and this ID number is how we reference a given person in all systems.
We prohibit caching of username and passwords on all web forms where this
information is entered.

Jimmy Fikes
Chief Information Officer
Wayland Baptist University



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv on behalf of Dick
Jacobson
Sent: Wed 3/16/2005 8:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password - User Self Service Resets?

On Tue, 15 Mar 2005, m-powe wrote:

My understanding is you can ask them for the SSN as long as you tell them
they do not have to give it to you and what the result of them not giving
it will be.

We are currently deploying a system that asks for the Date-of-Birth, the
SSN and the resonse to a question they have previously provided.  The
question is one of some really simple ones we have provided or one of
their choosing.  We kept our sample questions simple enough so I expect
most people to select their own questions.

Also, at the first screen we tell the person if they do not want to give
their SSN they can present their picture id at their campus Help Desk for
assistance.

Because of the geographic distribution of our system (11 campuses
throughout the state) and the growing Distance-Ed issues, we have had a
call for this service for some time and HOPE we have examined all the
issues involved.

> I would discourage the use of the SSN for authenticating the person or
> using any part of the SSN for the reset password.  You can ask people to
> volunteer their SSN, but I do not believe you can require it for this
> business purpose.
>
> It's an issue for us, too, and we're moving toward collecting other
> data to aid in the authentication process.
>
> Mark
>
>
> Mark M. Powell
> Office of Information Technology
> OIT Data Security
> University of Minnesota
> 1300 S. 2nd Street, Room 548e
> Minneapolis, MN 55454
>
> 612-625-8598
> 952-237-0306 (cell)
> 612-625-0303 (fax)
> http://www.umn.edu/datasec/security
> Passwords are like toothbrushes--change them often and don't share
> them.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.
>

--

-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndsu NoDak edu
ND HECN MultiUser Host SysAd    office : IACC 206, NDSU
NDUS IT Security Officer        phone  : 701-231-7385
-----------------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.