Educause Security Discussion mailing list archives
Re: Password Self-Service software
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Tue, 17 Feb 2009 13:54:24 -0600
And how do you handle remote-user resets? I have a lot of distance-Ed community members, and I like to use the researcher stationed at McMurdo Sound (Antarctica) as a use-case. When his password is compromised or forgotten, how doe she get access to the learning management system again? -jml
Alex <alex.everett () UNC EDU> 2009-02-17 12:00 >>>
I am not convinced that this would be a significant deterrent to an adversary. With resources like facebook, and the fact that they even claim the false positive rate is 1% - leads me to this conclusion. This means 1% of the time, an attacker will successfully get the password. Lets see, times 1000 requests is 10 compromised accounts. Typically, we ask for two forms of identification from the user. Sincerely, Alex _____ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chancellor, Beth C. Sent: Tuesday, February 17, 2009 12:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Self-Service software We put our users in password initialization jail. They can't reset their initial password successfully without setting up their questions. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Tuesday, February 17, 2009 10:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Self-Service software There's also the accompanying challenge of convincing current accountholders to take the time to register themselves with this service. The one you mention below is quite clever, but one thing these schemes all have in common is the user has to actually visit them *before* they need the service (and to not be in such a hurry that they can give due care to their answer choices). Having it be part of new-account activation is not as hard, but how are schools adding these to existing systems, and inspiring the user base to register themselves? From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chancellor, Beth C. Sent: Tuesday, February 17, 2009 11:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Self-Service software I have been particularly enamored with something that gets away from the user typing in answers to questions. While our institution is not even close to using this or something similar, I thought I'd throw it out there. This type of reset application seems to have lots of benefits including eliminating key logging as a problem. http://www.ravenwhite.com/iforgotmypassword.html Beth Beth Chancellor Chief Information Security Officer University of Missouri (573)882-3503 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis Sent: Tuesday, February 10, 2009 3:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Self-Service software Hello, We're wanting to implement a password self-service site for our users. I'm wondering what others are using. We're using AD for our back-end authentication. We have about 7500 students and employees and about 20,000 alumni accounts which receive relatively casual use. Here are the things that we're looking for: 1) Reset password using some sort of question/answer module 2) Allow pre-population of questions/answers would be desirable 3) Being able to send a one-time, expiring, password would be nice 4) Logging, logging, logging 5) We'll likely develop our own account provisioning but would like it to tie into this system for initial password connectivity 6) Enforcement of password rules 7) Notification to users when their password is about to expire I've been looking at Password Manager from Quest but would like to hear suggestions from others. Thanks, Greg Greg Francis Director, Central Computing and Network Support Services Information Technology Services Gonzaga University 509-313-6896 francis () gonzaga edu
Current thread:
- Re: Password Self-Service software, (continued)
- Re: Password Self-Service software Mark Houpt (Feb 10)
- Re: Password Self-Service software Adam Richard (Feb 10)
- Re: Password Self-Service software Dexter Caldwell (Feb 10)
- Re: Password Self-Service software Rob Whalen (Feb 10)
- Re: Password Self-Service software Rob Whalen (Feb 11)
- Re: Password Self-Service software Ness, Carl J (Feb 12)
- Re: Password Self-Service software Chancellor, Beth C. (Feb 17)
- Re: Password Self-Service software Gary Dobbins (Feb 17)
- Re: Password Self-Service software Chancellor, Beth C. (Feb 17)
- Re: Password Self-Service software Alex (Feb 17)
- Re: Password Self-Service software John Ladwig (Feb 17)
- Re: Password Self-Service software jack suess (Feb 17)