Educause Security Discussion mailing list archives

Re: Self Service Password Resets

From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 10 Aug 2009 12:46:04 -0500

Somewhat against my advice, such a beast is being rolled out here.  It
debuted in June, and was in place for "voluntary" subscription during
new student orientation/registration sessions this summer.  I say
"voluntary" because you get a click-through nag every time you login to
our portal until you play the game.  I have no idea how many new
students were sucked in.

    * To play the game, you choose seven questions to answer out of a
      hundred or so predefined questions.
    * Your answers are stored in a database via a one-way hash.
    * When you need to reset your password, you're given three of the
      seven questions to answer.
    * If you don't get the answers all correct, you're given a different
      set of three for a second chance.  You get no feedback about which
      were right and which were wrong, just that they weren't all
      correct.  There may be some duplication of questions from the
      first round, but at least one is guaranteed to be different.
    * If you fail again, you get a third chance.  Again, at least one of
      the questions will be new.
    * If you fail to answer all questions correctly the third time,
      you're done and have to visit the help desk with your ID card in hand.

The committee that worked on the project spent a *lot* of time trying to
get good questions, but there are still some that leave a lot to be
desired in terms of "good" security questions.

 -ken

Anand S Malwade wrote:

I wanted to know if other Universities have deployed a Centralized Self Service Password reset portal for end users. 
We also need guidance on the overall process, nature and number of the Challenge response questions the end users 
must answer for identification.

Thanks,
Anand

Seton Hall University
South Orange, NJ


--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

Self Service Password Resets Anand S Malwade (Aug 10)
- <Possible follow-ups>
- Re: Self Service Password Resets Ken Connelly (Aug 10)
- Re: Self Service Password Resets Anthony Maszeroski (Aug 10)
- Re: Self Service Password Resets randy marchany (Aug 10)
- Re: Self Service Password Resets Dennis Meharchand (Aug 10)
- Re: Self Service Password Resets Joel Murphy (Aug 12)
- Re: Self Service Password Resets Gary Flynn (Aug 18)
- Re: Self Service Password Resets Timothy Payne (Aug 18)
- Re: Self Service Password Resets Joel Murphy (Aug 24)