Educause Security Discussion mailing list archives
Re: Password change procedures
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 2 May 2014 14:05:43 -0400
We gave up on security questions. People forget the answers to them, it's hard to get ones that are meaningful yet not impolite or intrusive across cultures (we have a large international student population), the answers are often pretty predictable (there are a couple of studies on this), etc. Instead we ask the user to provide student identification number, date of birth, and, if they have ever gotten a paycheck from us, the last four digits of their SSN/TIN. This has worked well for us, and we use the same process (the same site, in fact) to have new students set their first password (we no longer send them one). It's not perfect, but in practice it has worked well for us. --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Fri, May 2, 2014 at 1:49 PM, Dennis Levine <dennis_levine () emerson edu>wrote:
Hi Everyone, I’m wondering if I could get some feedback as to how you have your schools procedures set up to change a user’s password. Not when or how long it should be, ( we already beat that to death in the last thread with the Heartbleed bug) I’m talking about do you have a web based user self-portal that allows someone to enter name and ID number, answer a security question or two to get to a password change screen if they forgot their password. If so, did you get push back because of the security questions that may have been asked such as “pick an address you may have lived at” or “what is your mother’s maiden name” etc. and all the wonderful problems that come with FERPA or PII info? Do you do it another way? Thanks, Dennis Levine *Dennis Levine *| Network and Security Administrator | 120 Boylston Street Boston, MA 02116-4624 | (617) 824-8972 | Dennis_Levine () emerson edu | www.emerson.edu [image: emerson]
Current thread:
- Password change procedures Dennis Levine (May 02)
- Re: Password change procedures David Curry (May 02)
- Re: Password change procedures Roger A Safian (May 02)
- Re: Password change procedures Ken Connelly (May 02)
- Re: Password change procedures Quentin L McCallum (May 02)
- Re: Password change procedures Ken Connelly (May 02)