Educause Security Discussion mailing list archives
Re: Self-service password reset approaches
From: Chris Edwards <chris () ENG GLA AC UK>
Date: Fri, 17 Feb 2012 12:35:49 +0000
On Tue, 14 Feb 2012, randy marchany wrote: | 1. Never - the user can opt to not use remote password recovery. Yes, | this means they have to show up in person. Some people like that. | 2. SMS text - one time code sent to a pre-registered cell phone. | 3. Voice - one time code sent to pre-registered phone. | 4. Gmail - reset your password by logging into your Gmail account. | 5. Yahoo - reset your password by logging into your Yahoo account. So what if the user's personal Gmail account has been compromised ? (it's a personal account, so reasonable to assume it might be less well protected than the Uni email - e.g log into personal email from insecure locations) A hacker who knows the Gmail password can easily get straight into the Uni account, via the password reset system. | The user can opt to get an email sent to an (separate) email address when | their password is reset. I guess this helps, to some degree. Or if sufficiently paranoid, they choose option (1) password recovery disabled. -- Chris Edwards IT Security, Computing Service University of Glasgow, charity number SC004401
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)