Educause Security Discussion mailing list archives

Self-service password reset approaches

From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Mon, 6 Feb 2012 09:17:44 -0500

It's been a few years since this has come up on the list, so here goes.

For various administrative reasons having nothing to do with security we
need to make some big changes to our self-service password reset approach,
and I'm trying to capitalize on the opportunity to improve its security at
the same time. At the moment, we do what (we think) many other schools do
-- provide student id number, netid (username), and date of birth, and you
can reset your password. The problem with this is, of course, it was never
that hard to come up with that information in the first place, and the
combination of students doing more and more stuff online and the growing
use of social media makes it just that much easier.

So... what other approaches are you taking?

There is of course the "pick a few security questions" approach. But it's
hard to come up with a set of questions whose answers aren't trivial to
guess (either because they have little if any entropy or because the answer
is on Facebook). And if you do manage to come up with a set of hard
questions, people can't remember what their answers were. Do you use this
approach? If so, how have you addressed these problems?

We've been tossing around the idea of using something similar to the "email
confirmation" links you see many forum-type websites use. In this approach,
we would ask the user for some identifying information (netid, student id
number, etc.) and then look up the email addresses we have on file. The
user could choose any non-university email address in the list, and we
would send a randomly-generated URL to that account, which the user could
then click on to reset his/her password. Users for whom we have no
alternative email on file (or for whom all the ones we have on file are "no
good") would have to call the help desk. Does anybody use an approach like
this? How well is it working (or not working)?

Any other "interesting" approaches out there?

Thanks,
--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu

Current thread:

Self-service password reset approaches David Curry (Feb 06)
- Re: Self-service password reset approaches Ryan D Hiebert (Feb 06)
  - Re: Self-service password reset approaches Nathan Zierfuss (Feb 06)
- Re: Self-service password reset approaches Steve Werby (Feb 09)
  - Re: Self-service password reset approaches Theresa Rowe (Feb 14)
    - Re: Self-service password reset approaches Roger A Safian (Feb 14)
    - Re: Self-service password reset approaches Theresa Rowe (Feb 14)
    - Re: Self-service password reset approaches Kevin Shalla (Feb 14)
    - Re: Self-service password reset approaches Roger A Safian (Feb 14)
    - Re: Self-service password reset approaches Kevin Shalla (Feb 14)
    - Re: Self-service password reset approaches Roger A Safian (Feb 14)

(Thread continues...)