Re: Password change procedures

[Quentin L McCallum <mccalluq () LCC EDU>]

We built our own. We control the security questions. The user "claims" their account; sets up either a non-LCC email or 
a set of security questions. The question/answer is weighted so if the person selects a question easy to found the 
weight is low. They are prompted for more questions. "Good" security questions mean less number of question/answer.

One nice feature that the team built in was a password strength calculator. Goes from red over to green as the person 
exceeds our minimums. 


Thanks,
Quentin L. McCallum, CISSP, ITIL-F, GCFE
Information Security Analyst
Lansing Community College
517-267-5014
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken 
Connelly
Sent: Friday, May 02, 2014 2:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change procedures

We have used security questions for self-service password reset for several years. When we started with that, I had 
high hopes that our process would work well. It doesn't. We will soon be rolling out a new scheme that requires the 
user to signup (while authenticated to our
portal) with an SMS-capable phone number or a non-UNI email address.
When the user forgets or otherwise needs a password reset, they provide either their username or university ID number 
and a code is sent to the previously-registered destination that will allow them to create a new password for their 
account.

- ken

On 5/2/14, 1:12 PM, Roger A Safian wrote:
> We were able to use our own security questions. We tried to make them 
> a little less easier to search for, but, with a young population I 
> still have this concern.
>
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dennis Levine
> *Sent:* Friday, May 2, 2014 12:49 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Password change procedures
>
> Hi Everyone,
>
> I'm wondering if I could get some feedback as to how you have your 
> schools procedures set up to change a user's password. Not when or how 
> long it should be, ( we already beat that to death in the last thread 
> with the Heartbleed bug) I'm talking about do you have a web based 
> user self-portal that allows someone to enter name and ID number, 
> answer a security question or two to get to a password change screen 
> if they forgot their password. If so, did you get push back because of 
> the security questions that may have been asked such as "pick an 
> address you may have lived at" or "what is your mother's maiden name"
> etc. and all the wonderful problems that come with FERPA or PII info?
> Do you do it another way?
>
> Thanks,
>
> Dennis Levine
>
> *Dennis Levine *|**Network and Security Administrator | 120 Boylston 
> Street Boston, MA 02116-4624 | (617) 824-8972 | 
> Dennis_Levine () emerson edu 
> <https://urldefense.proofpoint.com/v1/url?u=http://mailto:Dennis_Levin
> e%40emerson.edu&k=l8X370NuK2YPwmDgp3pt%2BA%3D%3D%0A&r=U4W1fO6l%2Bw0ACd
> 8ZT7mJOIOlBbVZ0JL8g85O1dW5RAY%3D%0A&m=JlUgS4L88e2gDWoEMgJYye4kTXAo4Ztm
> t5c2TKRLrJk%3D%0A&s=2fc44af654ead7b55074c81efb42d4be5eae722d96124a8a02
> 632c0bd37f34ca>
> | www.emerson.edu
> <https://urldefense.proofpoint.com/v1/url?u=http://www.emerson.edu&k=l
> 8X370NuK2YPwmDgp3pt%2BA%3D%3D%0A&r=U4W1fO6l%2Bw0ACd8ZT7mJOIOlBbVZ0JL8g
> 85O1dW5RAY%3D%0A&m=JlUgS4L88e2gDWoEMgJYye4kTXAo4Ztmt5c2TKRLrJk%3D%0A&s
> =7b700b37ec078f5175c5f4f7715131175d92f0f5957157e4fc3a36873cf64a72>
>
> emerson

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!