Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Self-service password reset approaches

From: Chris Edwards <chris () ENG GLA AC UK>
Date: Fri, 17 Feb 2012 12:35:49 +0000
On Tue, 14 Feb 2012, randy marchany wrote:

| 1. Never - the user can opt to not use remote password recovery. Yes, 
| this  means they have to show up in person. Some people like that.
| 2. SMS text - one time code sent to a pre-registered cell phone.
| 3. Voice - one time code sent to pre-registered phone.
| 4. Gmail - reset your password by logging into your Gmail account.
| 5. Yahoo - reset your password by logging into your Yahoo account.

So what if the user's personal Gmail account has been compromised ?

(it's a personal account, so reasonable to assume it might be less well 
protected than the Uni email - e.g log into personal email from insecure 
locations)

A hacker who knows the Gmail password can easily get straight into the Uni 
account, via the password reset system.


| The user can opt to get an email sent to an (separate) email address when
| their password is reset.

I guess this helps, to some degree.

Or if sufficiently paranoid, they choose option (1) password recovery 
disabled.


-- 
Chris Edwards
IT Security, Computing Service
University of Glasgow, charity number SC004401
Previous By Date Next
Previous By Thread Next

Current thread: