Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Management Policy & Standards

From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Fri, 26 Feb 2016 19:33:49 +0000
I hope this isn't off topic, but how does password self-service work with these policies and standards? With the 
proliferation of social media, it's very difficult to come up with truly secure security questions. For an alternate 
email the ownership of that off-campus address is unverifiable. 

There is also the question of requests to the help desk for password resets. In person we ask for identification, but 
over-the-phone resets have the same "secure question" issue that the self-service reset has. Asking for DOB or address 
is way too easy to impersonate. How are you verifying account ownership?

These are some of the practical matters with passwords we are struggling with. A super secure password with good 
policies are no help if a little social engineering can get account access the "proper" way.

Thomas Carter
Network & Operations Manager
Austin College
Previous By Date Next
Previous By Thread Next

Current thread: