Educause Security Discussion mailing list archives

Re: Password Management Policy & Standards

From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Fri, 26 Feb 2016 20:10:44 +0000

I'm not a fan of security questions under any circumstances.

But I think this is all much more simple than people try to make it.

Refer to the 'remote' column of "Table 3 - Identity Proofing Requirements by
Assurance Level" in NIST SP 800-63
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf):
Issue "credentials in a manner that confirms the ability of the Applicant to
receive telephone communications or text message at phone number or e-mail
address associated with the Applicant in records." 

Collect a personal phone number and/or email address when the person is
standing in front of you (or some other appropriate, trusted time), then
call it or send it a one-time secret that allows the user to reset their
password.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter
Sent: Friday, February 26, 2016 1:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

I hope this isn't off topic, but how does password self-service work with

these

policies and standards? With the proliferation of social media, it's very

difficult

to come up with truly secure security questions. For an alternate email

the

ownership of that off-campus address is unverifiable.

There is also the question of requests to the help desk for password

resets. In

person we ask for identification, but over-the-phone resets have the same
"secure question" issue that the self-service reset has. Asking for DOB or
address is way too easy to impersonate. How are you verifying account
ownership?

These are some of the practical matters with passwords we are struggling

with.

A super secure password with good policies are no help if a little social
engineering can get account access the "proper" way.

Thomas Carter
Network & Operations Manager
Austin College

Attachment: smime.p7s
Description:

Current thread:

Re: Password Management Policy & Standards, (continued)
- - - Re: Password Management Policy & Standards Brad Judy (Feb 26)
    - Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
    - Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Password Management Policy & Standards Carlos Lobato (Feb 26)
  - Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)
    - Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)
    - Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
    - Re: Password Management Policy & Standards Thomas Carter (Feb 26)
    - Re: Password Management Policy & Standards Jones, Mark B (Feb 26)
    - Re: Password Management Policy & Standards Thomas Carter (Feb 26)
    - Re: Password Management Policy & Standards Jones, Mark B (Feb 26)