Educause Security Discussion mailing list archives
Re: Password Self-Service Solutions - quick survey
From: Matthew Giannetto <MGiannetto () MC3 EDU>
Date: Wed, 5 May 2010 09:09:40 -0400
Erik, Regarding question three, we do not allow users to pick their own questions. It's hard enough for us to come up with a list of "good" password questions. I'd recommend you create them. We decided to require users to register five password questions. Two would be from "Pool 1", two would be from "Pool 2", and one would be from "Pool 3". Consider the two biggest threats for password guessing for students would be parents or friends, we designed it so that... * Pool 1 would be something a parent wouldn't usually know (Who played the first concert you attended?) * Pool 2 would be something a friend wouldn't usually know (What was the name of your favorite stuffed animal?) * Pool 3 would be something neither would usually know (What is your biggest pet peeve?) To reset a password, a user would have to answer one question from both Pool 1 and Pool 2. To authenticate to the Help Desk, they'd have to answer their Pool 3 question and validate other information (phone, address, etc.). This site was most useful for us: http://goodsecurityquestions.com/ Thanks, Matt Giannetto Manager of IT Security Montgomery County Community College mgiannetto () mc3 edu | (215) 619-7442 From: Erik Decker [mailto:edecker () LUC EDU] Sent: Tuesday, May 04, 2010 6:00 PM Subject: Password Self-Service Solutions - quick survey All, We are in the process of evaluating our password self-service solution and were curious what solutions other Universities use. If you're so inclined, could you respond to these questions? 1) What product do you use for password self-service? 2) What is your Directory environment? (Active Directory, Novell eDirectory, etc) 3) Do you use predefined questions or do you have your users set their own recovery questions? 4) How well received is your product within your community? 5) Are you happy with your product? Many thanks! Erik Decker Security Administrator University Information Security Office (UISO) Loyola University Chicago ________________________________ Montgomery County Community College is proud to be the #1 ranked technology-savvy community college in the nation, as determined by the Center for Digital Education and Converge magazine.
Current thread:
- Password Self-Service Solutions - quick survey Erik Decker (May 04)
- <Possible follow-ups>
- Re: Password Self-Service Solutions - quick survey Matthew Giannetto (May 05)
- Re: Password Self-Service Solutions - quick survey Sherry Horeanopoulos (May 17)