Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Self-Service Solutions - quick survey

From: Matthew Giannetto <MGiannetto () MC3 EDU>
Date: Wed, 5 May 2010 09:09:40 -0400
Erik,
Regarding question three, we do not allow users to pick their own questions.  It's hard enough for us to come up with a 
list of "good" password questions.  I'd recommend you create them.
We decided to require users to register five password questions.  Two would be from "Pool 1", two would be from "Pool 
2", and one would be from "Pool 3".  Consider the two biggest threats for password guessing for students would be 
parents or friends, we designed it so that...

*         Pool 1 would be something a parent wouldn't usually know (Who played the first concert you attended?)

*         Pool 2 would be something a friend wouldn't usually know (What was the name of your favorite stuffed animal?)

*         Pool 3 would be something neither would usually know (What is your biggest pet peeve?)
To reset a password, a user would have to answer one question from both Pool 1 and Pool 2.
To authenticate to the Help Desk, they'd have to answer their Pool 3 question and validate other information (phone, 
address, etc.).
This site was most useful for us: http://goodsecurityquestions.com/
Thanks,

Matt Giannetto
Manager of IT Security
Montgomery County Community College
mgiannetto () mc3 edu | (215) 619-7442

From: Erik Decker [mailto:edecker () LUC EDU]
Sent: Tuesday, May 04, 2010 6:00 PM
Subject: Password Self-Service Solutions - quick survey

All,

We are in the process of evaluating our password self-service solution and were curious what solutions other 
Universities use.  If you're so inclined, could you respond to these questions?

1) What product do you use for password self-service?
2) What is your Directory environment?  (Active Directory, Novell eDirectory, etc)
3) Do you use predefined questions or do you have your users set their own recovery questions?
4) How well received is your product within your community?
5) Are you happy with your product?

Many thanks!


Erik Decker
Security Administrator
University Information Security Office (UISO)
Loyola University Chicago

________________________________
Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge magazine.
Previous By Date Next
Previous By Thread Next

Current thread: