Re: Password change procedures

[David Curry <david.curry () NEWSCHOOL EDU>]

We gave up on security questions. People forget the answers to them, it's
hard to get ones that are meaningful yet not impolite or intrusive across
cultures (we have a large international student population), the answers
are often pretty predictable (there are a couple of studies on this), etc.

Instead we ask the user to provide student identification number, date of
birth, and, if they have ever gotten a paycheck from us, the last four
digits of their SSN/TIN. This has worked well for us, and we use the same
process (the same site, in fact) to have new students set their first
password (we no longer send them one).

It's not perfect, but in practice it has worked well for us.

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, May 2, 2014 at 1:49 PM, Dennis Levine <dennis_levine () emerson edu>wrote:

>  Hi Everyone,
>
>   I’m wondering if I could get some feedback as to how you have your
> schools procedures set up to change a user’s password. Not when or how long
> it should be, ( we already beat that to death in the last thread with the
> Heartbleed bug) I’m talking about do you have a web based user self-portal
> that allows someone to enter name and ID number, answer a security question
> or two to get to a password change screen if they forgot their password. If
> so, did you get push back because of the security questions that may have
> been asked such as “pick an address you may have lived at” or “what is your
> mother’s maiden name” etc. and all the wonderful problems that come with
> FERPA or PII info? Do you do it another way?
>
>
>
> Thanks,
>
> Dennis Levine
>
>
>
> *Dennis Levine *| Network and Security Administrator | 120 Boylston
> Street  Boston, MA  02116-4624 | (617) 824-8972 |
> Dennis_Levine () emerson edu | www.emerson.edu
>
> [image: emerson]