Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exposing security questions

From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 22 Jan 2010 10:40:49 -0600
The problem with these questions is that they give the system
administrator of the given system the ability to compromise the
accounts on other systems where the same questions exist.  Whenever I
fill out these questions, I give random strings.  The only reasonable
alternative I know is to provide a recovery e-mail account, so when
the person forgets his password, he puts in his account ID and
presses the button "I forgot my e-mail", then the password is set to
a one-time password, and sent to that e-mail address.

At 12:09 PM 1/20/2010, Rob Tanner wrote:

We currently do self-service password management by requiring the
user to enter his/her SSN and mother's maiden name whenever they
forget their current password or allow it to expire.  Now, we want
to re-implement self-service password management using security
questions.  Out of a group of about twenty questions, the user will
initially be required to select and answer three which the user will
be presented with and required to answer when they don't know their
password.  The user, whether student, faculty or staff would of
course have to enter their account ID (what we call their CatNet ID
which is a 7 or 8 character string made up of their first initial
and the first 6 or 7 characters of their last name).

On our first rewrite of the self-service web tool, we required the
user to also enter their student/staff ID number.  The idea is to at
least add one more layer before exposing the selected security
questions.  Our problem is that of our three campuses, the nursing
school does not put student ID numbers on their ID cards.  What, in
addition to the account name do others use?  Or do most figure that
the account name is sufficient before exposing the security
questions?  My issue with that is that social engineering is
probably the bigger threat when trying to get access to people's
passwords and if I only have three questions to figure out your
answer to, that's a lot less work.  And if you happen to be the
president, CFO, a trustee or any of the executive administration,
unathorized access to your email, for instance, could be far more
than just embarrassing.

Any thoughts or suggestions?



Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
Previous By Date Next
Previous By Thread Next

Current thread: