Educause Security Discussion mailing list archives

Re: Self-Service Password Reset Practices

From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 26 Jul 2005 11:15:14 -0500

Purdue, I'm told, has a good mechanism for authenticating for initial
account pickup, which could potentially also serve passwword-resets.  They
ask a series of multi-choice questions based on the individual's online
info, with misleading answers sprinkled in.  One wrong answer may trigger
an alert and possibly lock out retries until a stronger contact can be made.

As another reply indicated, avoid SSN.  Most of the other examples may be
Google-able.  Purdue's approach relies, I believe, on fields on the student
app (and perhaps employee form) that would not normally be found on Google.

Russ Wade wrote:


Hello,

We at Wichita State University are in the early stages of implementing
an Identity Management system.  We will use a single sign-on to
authenticate access to multiple applications.  This will include, in
part, SCT Banner for back office and student use.  Our email system will
use this same sign-on and be equally affected by lockouts and password
changes.

We are using strong passwords and anticipate a high volume of password
reset requests.

We are interested in ways others have found practical and secure for a
self-service password reset function.

We are considering requiring the following information for password resets:

        First Name
        Last Name
        SSN
        Date of Birth
        Current Mailing Zip Code

We would send an email notification to individuals when their password
is reset, but their first indication of an intruder password reset would
be the inability to log on.

Is this generally considered sufficient or do most institutions include
some additional form of security, such as a challenge question?

Thanks,

Russ

Russ Wade,
SCT Banner Security Specialist
Wichita State University
University Computing and Telecommunications Services
1845 Fairmount
Wichita, KS  67260-0098
Email:   _Russ.Wade@Wichita.edu_
Office:  (316) 978-3859
Mobile: (316) 312-0185
Fax:     (316) 978-3894


--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)