Educause Security Discussion mailing list archives

Re: Challenge/response questions?


From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Wed, 15 Apr 2009 13:40:31 -0500

Leon-



List users is easy, but rights is pretty wide open. What rights are you
looking to learn about?



Thanks,

Brian Desmond

brian.desmond () morantechnology com



c - 312.731.3132



Active Directory, 4th Ed -  <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/

Microsoft MVP -  <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian





From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Leon DuPree
Sent: Tuesday, April 14, 2009 8:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Challenge/response questions?



Does anyone have  sample script for Active Directory that would list users
and rights?



Be great if I could get some kind of error handling with it in case it does
not work on a server.



Let me  know if you have any questions why? (I am not interested in
rinventing the wheel :)





Leon DuPree

University of Michigan

LSA Intern







On Mon, Apr 13, 2009 at 12:23 PM, Schumacher, Adam J
<ADAMSCHUMACHER () creighton edu> wrote:

We use security questions plus having access to a secondary email account or
cellphone capable of receiving text messages to reset passwords.  We provide
15 possible questions to choose from, of which they must select three (and
answer a random selection of 2).

Best practices for questions would involve things that aren't likely to
change over time (excludes "whats your favorite _____?" type questions),
things that aren't too easy to guess or find out, and have high entropy
(lots of possible answers).

Some examples of decent questions might include:
What is your oldest sibling's birthday?
What is the address of the first house you lived in?
What hospital where you born at?
What was the color of your first car?
What was the make/model of your first car?


On 4/10/09 12:57 PM, "Witmer, Robert" <r.witmer () SNHU EDU> wrote:

There must be a better way!  We have a customized single sign on solution
and
are looking at self service password resets from a web page.  Everything
after
authentication has been worked out.  Currently we are thinking of using
challenge/response type questions to verify account ownership.  However,
either most of the information is available on line (mother's maiden name
=
genealogy sites) or includes personally identifying information (SSN last
4)
that we don't collect and don't want to use.

Anyone have a better idea?  If not, anyone have better challenge/response
questions?

Regards,
Bob

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0




--
EIM Consulting
PO Box 320822
Flint Township, MI 48532
Leon DuPree B.S MBA
Chief Security Consultant
Phone: 810-569-6427
Fax: 270- 447-3872


Current thread: