Educause Security Discussion mailing list archives

Re: Self-Service Password Reset Practices

From: Cal Frye <cjf () CALFRYE COM>
Date: Mon, 25 Jul 2005 16:23:26 -0400

We currently require either an in-person visit to our help desk or a fax of the
photoID. All the info below is too easily obtained by third parties. We would
consider only a web-form system with personalized or otherwise obscure
identifying information. Ideally, the user could create the question-response
pair for greatest security.

Email notification is a safeguard for every account but email, of course. We've
seen issues of unauthorized password changes in the past, and would not want to
make it too easy to spoof.

--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com
GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc

  "Guard against the impostures of pretended patriotism." --George Washington.


Russ Wade wrote:


We are considering requiring the following information for password resets:

        First Name
        Last Name
        SSN
        Date of Birth
        Current Mailing Zip Code

Current thread:

Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)