Re: Password Self-Service software

["Ness, Carl J" <carl-ness () UIOWA EDU>]

One thing to add to your requirements list is the ability to limit responses of these systems much like account 
lockout. These password reset systems are an increasingly larger target, ever since the Sara Palin Yahoo incident. Many 
password reset systems are more than happy to be brute-forced. 

Best,
Carl




Carl J. Ness, M.S., CISSP
Senior Security Analyst
CIO Office, University of Iowa


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg 
Francis
Sent: Tuesday, February 10, 2009 3:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Self-Service software

Hello,

We're wanting to implement a password self-service site for our users.  
I'm wondering what others are using. We're using AD for our back-end  
authentication. We have about 7500 students and employees and about  
20,000 alumni accounts which receive relatively casual use.

Here are the things that we're looking for:

1) Reset password using some sort of question/answer module
2) Allow pre-population of questions/answers would be desirable
3) Being able to send a one-time, expiring, password would be nice
4) Logging, logging, logging
5) We'll likely develop our own account provisioning but would like it  
to tie into this system for initial password connectivity
6) Enforcement of password rules
7) Notification to users when their password is about to expire

I've been looking at Password Manager from Quest but would like to  
hear suggestions from others.

Thanks,
Greg

Greg Francis
Director, Central Computing and Network Support Services
Information Technology Services
Gonzaga University
509-313-6896
francis () gonzaga edu