Educause Security Discussion mailing list archives
Self-Service Password Reset Practices
From: Russ Wade <Russ.Wade () WICHITA EDU>
Date: Mon, 25 Jul 2005 13:13:44 -0500
Hello,
We at Wichita State University are in the early stages of implementing an
Identity Management system. We will use a single sign-on to authenticate
access to multiple applications. This will include, in part, SCT Banner
for back office and student use. Our email system will use this same
sign-on and be equally affected by lockouts and password changes.
We are using strong passwords and anticipate a high volume of password
reset requests.
We are interested in ways others have found practical and secure for a
self-service password reset function.
We are considering requiring the following information for password
resets:
First Name
Last Name
SSN
Date of Birth
Current Mailing Zip Code
We would send an email notification to individuals when their password is
reset, but their first indication of an intruder password reset would be
the inability to log on.
Is this generally considered sufficient or do most institutions include
some additional form of security, such as a challenge question?
Thanks,
Russ
Russ Wade,
SCT Banner Security Specialist
Wichita State University
University Computing and Telecommunications Services
1845 Fairmount
Wichita, KS 67260-0098
Email: Russ.Wade () Wichita edu
Office: (316) 978-3859
Mobile: (316) 312-0185
Fax: (316) 978-3894
Current thread:
- Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)