Educause Security Discussion mailing list archives

Re: Self-Service Password Reset Practices

From: "clementz.7" <clementz.7 () OSU EDU>
Date: Mon, 25 Jul 2005 15:23:38 -0400

Instead of the whole ssn number we just use the last four.
  ----- Original Message ----- 
  From: Chad McDonald 
  To: SECURITY () LISTSERV EDUCAUSE EDU 
  Sent: Monday, July 25, 2005 2:49 PM
  Subject: Re: [SECURITY] Self-Service Password Reset Practices

  I would recomend that you steer away from the SSN in your reset requirements.  I can certainly see how that could be 
used for phishing.

  Thanks, 
  Chad McDonald, CISSP
  Chief Information Security Officer
  Georgia College & State University
  478.445.4473  Office
  478.454.8250 Cell
  478.445.1202 Fax

------------------------------------------------------------------------------
  From: Russ Wade [mailto:Russ.Wade () WICHITA EDU] 
  Sent: Monday, July 25, 2005 2:14 PM
  To: SECURITY () LISTSERV EDUCAUSE EDU
  Subject: [SECURITY] Self-Service Password Reset Practices

  Hello, 

  We at Wichita State University are in the early stages of implementing an Identity Management system.  We will use a 
single sign-on to authenticate access to multiple applications.  This will include, in part, SCT Banner for back office 
and student use.  Our email system will use this same sign-on and be equally affected by lockouts and password changes. 

  We are using strong passwords and anticipate a high volume of password reset requests. 

  We are interested in ways others have found practical and secure for a self-service password reset function. 

  We are considering requiring the following information for password resets: 

          First Name 
          Last Name 
          SSN 
          Date of Birth 
          Current Mailing Zip Code 

  We would send an email notification to individuals when their password is reset, but their first indication of an 
intruder password reset would be the inability to log on. 

  Is this generally considered sufficient or do most institutions include some additional form of security, such as a 
challenge question? 

  Thanks, 

  Russ 
    Russ Wade,  
        SCT Banner Security Specialist  
        Wichita State University  
        University Computing and Telecommunications Services  
        1845 Fairmount  
        Wichita, KS  67260-0098  
        Email:   Russ.Wade () Wichita edu  
        Office:  (316) 978-3859  
        Mobile: (316) 312-0185  
        Fax:     (316) 978-3894

Current thread:

Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)