Re: Password Management Policy & Standards

[Thomas Carter <tcarter () AUSTINCOLLEGE EDU>]

What happens when they cannot stand in front of you? When a professor is in Tibet on a semester long study and needs 
their password reset and they don't have their US cell number (true story)? Or an incoming freshman calls from China 
before school starts ?

Thomas Carter
Network & Operations Manager
Austin College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
Mark B
Sent: Friday, February 26, 2016 2:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

I'm not a fan of security questions under any circumstances.

But I think this is all much more simple than people try to make it.

Refer to the 'remote' column of "Table 3 - Identity Proofing Requirements by
Assurance Level" in NIST SP 800-63
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf):
Issue "credentials in a manner that confirms the ability of the Applicant to
receive telephone communications or text message at phone number or e-mail
address associated with the Applicant in records." 

Collect a personal phone number and/or email address when the person is
standing in front of you (or some other appropriate, trusted time), then
call it or send it a one-time secret that allows the user to reset their
password.

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter
> Sent: Friday, February 26, 2016 1:34 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Management Policy & Standards
>
> I hope this isn't off topic, but how does password self-service work with
these
> policies and standards? With the proliferation of social media, it's very
difficult
> to come up with truly secure security questions. For an alternate email
the
> ownership of that off-campus address is unverifiable.
>
> There is also the question of requests to the help desk for password
resets. In
> person we ask for identification, but over-the-phone resets have the same
> "secure question" issue that the self-service reset has. Asking for DOB or
> address is way too easy to impersonate. How are you verifying account
> ownership?
>
> These are some of the practical matters with passwords we are struggling
with.
> A super secure password with good policies are no help if a little social
> engineering can get account access the "proper" way.
>
> Thomas Carter
> Network & Operations Manager
> Austin College