Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Self Service Password Resets

From: randy marchany <marchany () VT EDU>
Date: Mon, 10 Aug 2009 17:31:44 -0400
It seems odd to reference Wikipedia but in this case, it merits
inspection. I'm not a fan of any online password reset process that
relies on "secret questions". Go to Wikipedia and search for the
following:
1. "Password strength" - nice discussion on various issues with human
generated passwords. There is a nice section on 'human generated
passwords".
2. "Common Surnames" - reduces the effectiveness of the "what's your
mother's maiden name" type of questions. They're listed by country.
3. "Common US Place name" - to address the "where's your birthplace"
type questions
4. You get my drift here....

Also, you can google for "common pet names" and get a nice set of
sites that list most popular pet names (Dogs - 1. Max, 2. Jake, 3.
Buddy,.......)
I would also read Bruce Schneier's articles on password resets. In
other words, there are a number of resources that hackers use to
defeat the "secret question" defense. The Sarah Palin email incident
is proof of that.

The most important questions to ask when deciding to implement an
online password reset process are:

1. What is the impact of a fraudulent password reset?
    a.Does it just affect their email privs?
    b.Does access to the account affect personal items like classes or
work benefits?

If the answer is yes to 1b, I'd strongly consider NOT doing an online
password reset process. It's that old risk analysis thing....what risk
is your organization willing to accept?

Randy Marchany
VA Tech IT Security Office
Previous By Date Next
Previous By Thread Next

Current thread: