Re: Automatic Password Resets

["Torres, Juan" <torresj () OHIODOMINICAN EDU>]

Connie,

In January, we purchased Anixis Password Reset (http://www.anixis.com/). There is a video on the site that does a full 
demo. We had a home grown system, but it was too clunky and it failed our security audit. With the implementation of 
this product, we also changed our expiration time from 45 days to 120 days. We are in the process of implementing more 
complex passwords, but we felt it was a lot of changes to make at one time.  

Pros:
- Very easy to implement. 
        We put together a quick landing page before the application. 
http://helpdesk.ohiodominican.edu/reset/Default.aspx
- My Favorite Feature - Windows Plug-in that can be deployed in seconds by using AD Group Policy, which allows password 
resets right from any campus desktop.
- You customize your own questions
- Faculty/Staff/Students unlock accounts, reset passwords, change passwords
- Disable "VIP" accounts from using it. Therefore, preventing a client form compromising a high level account
- Automatically disables password reset feature if questions are incorrectly answered
- Helps reduce calls to the helpdesk

Cons:
- Very poor tracking. I cannot provide metrics on how successful the product is used. 
        The software only creates an event log, no dashboard feature.
        Does not integrate in to call tracking software.
- You must do a major campaign to get members to register.
- People forget their registration questions
- This system does not address our issue with initial account activation. Students still need to contact the helpdesk 
to set up their account.
- Only e-mail support because they are overseas. However, very rapid response. 

If you need more information, let me know.

Juan A. Torres
Helpdesk Manager
Ohio Dominican University Computer Helpdesk
1216 Sunbury Road | Columbus | OH | 43219
1.888.251.0773 | 614.253.3615

-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] 
Sent: Monday, October 29, 2007 5:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Automatic Password Resets

Is anyone doing automatic password resets? We're interested in minimizing the numbers of calls in to our Help Desk - 
especially for the many applicants who forget how to access our application initially - to get started with Brown.

I know there are commercial products out there; do any of you have some positive experience to share about what works 
for you - and if you use something home-grown, I'd be interested in hearing about that as well.

Thanks much!

Connie

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer, Brown University 
Campus Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu,  Office: 401-863-7266 
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB