Educause Security Discussion mailing list archives
Re: Exposing security questions
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 22 Jan 2010 10:40:49 -0600
The problem with these questions is that they give the system administrator of the given system the ability to compromise the accounts on other systems where the same questions exist. Whenever I fill out these questions, I give random strings. The only reasonable alternative I know is to provide a recovery e-mail account, so when the person forgets his password, he puts in his account ID and presses the button "I forgot my e-mail", then the password is set to a one-time password, and sent to that e-mail address. At 12:09 PM 1/20/2010, Rob Tanner wrote:
We currently do self-service password management by requiring the user to enter his/her SSN and mother's maiden name whenever they forget their current password or allow it to expire. Now, we want to re-implement self-service password management using security questions. Out of a group of about twenty questions, the user will initially be required to select and answer three which the user will be presented with and required to answer when they don't know their password. The user, whether student, faculty or staff would of course have to enter their account ID (what we call their CatNet ID which is a 7 or 8 character string made up of their first initial and the first 6 or 7 characters of their last name). On our first rewrite of the self-service web tool, we required the user to also enter their student/staff ID number. The idea is to at least add one more layer before exposing the selected security questions. Our problem is that of our three campuses, the nursing school does not put student ID numbers on their ID cards. What, in addition to the account name do others use? Or do most figure that the account name is sufficient before exposing the security questions? My issue with that is that social engineering is probably the bigger threat when trying to get access to people's passwords and if I only have three questions to figure out your answer to, that's a lot less work. And if you happen to be the president, CFO, a trustee or any of the executive administration, unathorized access to your email, for instance, could be far more than just embarrassing. Any thoughts or suggestions? Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Current thread:
- Exposing security questions Rob Tanner (Jan 20)
- <Possible follow-ups>
- Re: Exposing security questions Scott O. Bradner (Jan 20)
- Re: Exposing security questions Timothy Payne (Jan 20)
- Re: Exposing security questions Jonathan Byrne (Jan 20)
- Re: Exposing security questions Kevin Shalla (Jan 22)