Re: Self Service Password Resets

[Timothy Payne <tpayne1 () MACALESTER EDU>]

We require the person calling in to contact the Registrar's Office
(for students) or Employment Services (for staff and faculty), who
will verify their identity using PII such as their SS number and
address.  We make this as easy as possible for the user by
transferring the call and personally handing them off to a live
person.  Within a few minutes, they are transferred back and after the
Registrar or ES staff confirms that the caller is who they claim to
be, we take the call back and reset the password.

This is our first year doing this, and we are working out the bumps as
we go along.

Tim Payne, CISSP, CISM, CCNA
Network Administrator
Macalester College



On Tue, Aug 18, 2009 at 9:37 AM, Gary Flynn<flynngn () jmu edu> wrote:
> What does the "standard help-desk password reset call" consist
> of for someone who cannot physically visit the helpdesk?
>
>
>
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security
> <reply top posted thanks to Microsoft Outlook>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Murphy
> > Sent: Wednesday, August 12, 2009 9:37 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Self Service Password Resets
> >
> > One thing we (at the University at Buffalo) implemented that I think is
> > a must for self-service password reset is self-service lockout.
> > If you can't "guess" the answers by the third try, the self-service
> > question logon is locked.  This significantly
> > reduces the likelyhood of simply guessing the answers.  Last month, we
> > had 587 self service resets, and 62 lock outs, so I think
> > it works without inordinately inconveniencing users.  (lock-outs simply
> > require a standard help-desk password reset call.)
> >
> > Someone also mentioned not indicating which answers are wrong on a
> > wrong
> > guess (which also helps prevent guessing).
> >
> > At UB we also require users to provide one question and answer of their
> > own.
> >
> > Personally, I don't think the actual questions are as important as the
> > policies around them.
> >
> > Joel
> >
> > randy marchany wrote:
> > > It seems odd to reference Wikipedia but in this case, it merits
> > > inspection. I'm not a fan of any online password reset process that
> > > relies on "secret questions". Go to Wikipedia and search for the
> > > following:
> > > 1. "Password strength" - nice discussion on various issues with human
> > > generated passwords. There is a nice section on 'human generated
> > > passwords".
> > > 2. "Common Surnames" - reduces the effectiveness of the "what's your
> > > mother's maiden name" type of questions. They're listed by country.
> > > 3. "Common US Place name" - to address the "where's your birthplace"
> > > type questions
> > > 4. You get my drift here....
> > >
> > > Also, you can google for "common pet names" and get a nice set of
> > > sites that list most popular pet names (Dogs - 1. Max, 2. Jake, 3.
> > > Buddy,.......)
> > > I would also read Bruce Schneier's articles on password resets. In
> > > other words, there are a number of resources that hackers use to
> > > defeat the "secret question" defense. The Sarah Palin email incident
> > > is proof of that.
> > >
> > > The most important questions to ask when deciding to implement an
> > > online password reset process are:
> > >
> > > 1. What is the impact of a fraudulent password reset?
> > >     a.Does it just affect their email privs?
> > >     b.Does access to the account affect personal items like classes
> > or
> > > work benefits?
> > >
> > > If the answer is yes to 1b, I'd strongly consider NOT doing an online
> > > password reset process. It's that old risk analysis thing....what
> > risk
> > > is your organization willing to accept?
> > >
> > > Randy Marchany
> > > VA Tech IT Security Office