Educause Security Discussion mailing list archives
Re: Password Management Policy & Standards
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Fri, 26 Feb 2016 20:10:44 +0000
I'm not a fan of security questions under any circumstances. But I think this is all much more simple than people try to make it. Refer to the 'remote' column of "Table 3 - Identity Proofing Requirements by Assurance Level" in NIST SP 800-63 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf): Issue "credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records." Collect a personal phone number and/or email address when the person is standing in front of you (or some other appropriate, trusted time), then call it or send it a one-time secret that allows the user to reset their password.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Friday, February 26, 2016 1:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Management Policy & Standards I hope this isn't off topic, but how does password self-service work with
these
policies and standards? With the proliferation of social media, it's very
difficult
to come up with truly secure security questions. For an alternate email
the
ownership of that off-campus address is unverifiable. There is also the question of requests to the help desk for password
resets. In
person we ask for identification, but over-the-phone resets have the same "secure question" issue that the self-service reset has. Asking for DOB or address is way too easy to impersonate. How are you verifying account ownership? These are some of the practical matters with passwords we are struggling
with.
A super secure password with good policies are no help if a little social engineering can get account access the "proper" way. Thomas Carter Network & Operations Manager Austin College
Attachment:
smime.p7s
Description:
Current thread:
- Re: Password Management Policy & Standards, (continued)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Thomas Carter (Feb 26)
- Re: Password Management Policy & Standards Jones, Mark B (Feb 26)
- Re: Password Management Policy & Standards Thomas Carter (Feb 26)
- Re: Password Management Policy & Standards Jones, Mark B (Feb 26)