Educause Security Discussion mailing list archives
Re: Self-Service Password Reset Practices
From: Cal Frye <cjf () CALFRYE COM>
Date: Mon, 25 Jul 2005 16:23:26 -0400
We currently require either an in-person visit to our help desk or a fax of the photoID. All the info below is too easily obtained by third parties. We would consider only a web-form system with personalized or otherwise obscure identifying information. Ideally, the user could create the question-response pair for greatest security. Email notification is a safeguard for every account but email, of course. We've seen issues of unauthorized password changes in the past, and would not want to make it too easy to spoof. --Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc "Guard against the impostures of pretended patriotism." --George Washington. Russ Wade wrote:
We are considering requiring the following information for password resets: First Name Last Name SSN Date of Birth Current Mailing Zip Code
Current thread:
- Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)