Educause Security Discussion mailing list archives
Re: Question About Password Resets
From: "Schumacher, Adam J." <adamschumacher () CREIGHTON EDU>
Date: Fri, 17 May 2013 22:14:55 +0000
We have two mechanisms in place. One is a two-factor online reset process. When a person activates their account, they must provide answers to security questions as well as either an external email or cell phone number to which we send a reset code. Once they've answered the questions and entered the code, they can set a new password. The other mechanism is for individuals who either can't remember the answers to their questions, or cannot log on to their computer to get to the web site. It is an application the service desk uses to ask a series of questions that the individual must answer correctly in order to reset the password. The questions and answers are presented in such a way to make it difficult for the service desk to "help" the individual in answering (or fall victim to social engineering). If that all fails, the person must come in person to the service desk and present a government issued photo ID sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 7b74afd47a1443f2d16598447a992dc6e987a7a0 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jim Pardonek [jpardonek () LUC EDU] Sent: Thursday, May 16, 2013 11:00 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Question About Password Resets We've recently had some issues with our current password reset process, particularly when a faculty or staff member is out of town and calls for a password reset. We also have an issue because our campuses are spread out geographically which makes it difficult for someone to come in person. I apologize if this has been discussed before, but I was wondering what other institutions are doing regarding password resets via telephone? Or do you do something else. I am looking to make a recommendation to "re-tool" our password reset policy and process so any input would be most welcome. Thanks, Jim James Pardonek, CISSP, CEH Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086
Current thread:
- Question About Password Resets Jim Pardonek (May 16)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Question About Password Resets David Curry (May 16)
- Re: Question About Password Resets David Seidl (May 16)
- Re: Question About Password Resets Valdis Kletnieks (May 16)
- Re: Question About Password Resets Schumacher, Adam J. (May 17)
- Password length and complexity Eric Weakland (May 31)
- Re: Password length and complexity Rickard, Josh A. (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Irish, Adrian L (May 31)
- Re: Password length and complexity Shalla, Kevin (May 31)
- Re: Password length and complexity Roger A Safian (May 31)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Pete Hickey (May 31)
- Password length and complexity Eric Weakland (May 31)
- Re: Question About Password Resets Roger A Safian (May 16)
- Re: Password length and complexity Alan Stockdale (May 31)
- Re: Password length and complexity Steven Alexander (May 31)