Educause Security Discussion mailing list archives
Re: Self Service Password Resets
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 10 Aug 2009 12:46:04 -0500
Somewhat against my advice, such a beast is being rolled out here. It debuted in June, and was in place for "voluntary" subscription during new student orientation/registration sessions this summer. I say "voluntary" because you get a click-through nag every time you login to our portal until you play the game. I have no idea how many new students were sucked in. * To play the game, you choose seven questions to answer out of a hundred or so predefined questions. * Your answers are stored in a database via a one-way hash. * When you need to reset your password, you're given three of the seven questions to answer. * If you don't get the answers all correct, you're given a different set of three for a second chance. You get no feedback about which were right and which were wrong, just that they weren't all correct. There may be some duplication of questions from the first round, but at least one is guaranteed to be different. * If you fail again, you get a third chance. Again, at least one of the questions will be new. * If you fail to answer all questions correctly the third time, you're done and have to visit the help desk with your ID card in hand. The committee that worked on the project spent a *lot* of time trying to get good questions, but there are still some that leave a lot to be desired in terms of "good" security questions. -ken Anand S Malwade wrote:
I wanted to know if other Universities have deployed a Centralized Self Service Password reset portal for end users. We also need guidance on the overall process, nature and number of the Challenge response questions the end users must answer for identification. Thanks, Anand Seton Hall University South Orange, NJ
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Self Service Password Resets Anand S Malwade (Aug 10)
- <Possible follow-ups>
- Re: Self Service Password Resets Ken Connelly (Aug 10)
- Re: Self Service Password Resets Anthony Maszeroski (Aug 10)
- Re: Self Service Password Resets randy marchany (Aug 10)
- Re: Self Service Password Resets Dennis Meharchand (Aug 10)
- Re: Self Service Password Resets Joel Murphy (Aug 12)
- Re: Self Service Password Resets Gary Flynn (Aug 18)
- Re: Self Service Password Resets Timothy Payne (Aug 18)
- Re: Self Service Password Resets Joel Murphy (Aug 24)