Educause Security Discussion mailing list archives
Re: Question About Password Resets
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 16 May 2013 13:43:48 -0400
On Thu, 16 May 2013 11:00:00 -0500, Jim Pardonek said:
apologize if this has been discussed before, but I was wondering what other institutions are doing regarding password resets via telephone? Or do you do something else.
No matter what you end up doing, remember to leave a flag for "this account may not be reset by phone/self-serve/whatever", so you can flag high-value or high-risk accounts as "tough noogies, they have to come in with official ID". And remember - it doesn't have to be a high-priv account. I've heard of plenty of incidents of stalkers and ex-SO's social engineering their way through a self-serve password reset for their target. Another option is using a cell phone as a cheap 2-factor auth system - the user pre-registers the phone number for password recovery, and uses a passcode sent via SMS to the number to complete the reset procedure.
Attachment:
_bin
Description:
Current thread:
- Question About Password Resets Jim Pardonek (May 16)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Question About Password Resets David Curry (May 16)
- Re: Question About Password Resets David Seidl (May 16)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Password length and complexity Alan Stockdale (May 31)