Educause Security Discussion mailing list archives
Re: Question About Password Resets
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 16 May 2013 12:44:59 -0400
We require everyone to provide their university identification number, their username, and their date of birth. If the person is (or ever has been) an employee, we also require the last four digits of their SSN/ITIN. If the individual does not know his or her username he or she can look it up by providing identification number and last name. If the individual does not know his or her identification number, the various departments (Human Resources, Student Services, Alumni) have each defined a process for giving it out over the phone. Generally, the caller has to provide three or four pieces of information correctly. If the staff member taking the call is suspicious, we require the person to visit the office in person. The security of this process is not perfect by any means, but it has worked well in practice, and we have not had any significant issues. --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Thu, May 16, 2013 at 12:12 PM, Roger A Safian <r-safian () northwestern edu>wrote:
**** We have security questions and answers set when the accounts are created. I’m not a fan of them myself, but, I recognize their usefulness in situations like this. If those fail, the user would need to contact a department chair, program coordinator, etc. and have that person contact our help desk in order to authorize the change.**** ** ** *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jim Pardonek *Sent:* Thursday, May 16, 2013 11:00 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Question About Password Resets**** ** ** We've recently had some issues with our current password reset process, particularly when a faculty or staff member is out of town and calls for a password reset. We also have an issue because our campuses are spread out geographically which makes it difficult for someone to come in person. I apologize if this has been discussed before, but I was wondering what other institutions are doing regarding password resets via telephone? Or do you do something else. I am looking to make a recommendation to "re-tool" our password reset policy and process so any input would be most welcome.**** **** Thanks,**** **** Jim**** **** **** *James Pardonek, CISSP, CEH***** *Information Security Officer** Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 ** (**: (773) 508-6086*****
Current thread:
- Question About Password Resets Jim Pardonek (May 16)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Question About Password Resets David Curry (May 16)
- Re: Question About Password Resets David Seidl (May 16)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Question About Password Resets Roger A Safian (May 16)