Educause Security Discussion mailing list archives
Re: Password Management Policy & Standards
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Fri, 26 Feb 2016 23:09:03 +0000
What happens when they cannot stand in front of you? When a professor is
in
Tibet on a semester long study and needs their password reset and they
don't
have their US cell number (true story)?
[Mark] Have them set the password recovery info when their accounts are activated or update the info while they know their password and can prove who they are by authenticating. Then when in Tibet they need only control one of the alternate forms of communication that you have on record for them. Or an incoming freshman calls from
China before school starts ?
[Mark] Collect the alternate contact info as part of the application/acceptance process.
Thomas Carter Network & Operations Manager Austin College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B Sent: Friday, February 26, 2016 2:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Management Policy & Standards I'm not a fan of security questions under any circumstances. But I think this is all much more simple than people try to make it. Refer to the 'remote' column of "Table 3 - Identity Proofing Requirements
by
Assurance Level" in NIST SP 800-63 (https://urldefense.proofpoint.com/v2/url?u=http-
3A__nvlpubs.nist.gov_nistpubs_SpecialPublications_NIST.SP.800-2D63-2D2.pdf-
29- 3A&d=BQIFAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgM u8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM&m=CHu_qUaaUu4tEieisl0wx 1OQti8C6qPtOjKkd3f_SvY&s=D__Wc6ElajWxVFFPudtp1377qr8N61TbNKTEgFGa uoI&e= Issue "credentials in a manner that confirms the ability of the Applicant
to
receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records." Collect a personal phone number and/or email address when the person is standing in front of you (or some other appropriate, trusted time), then
call it
or send it a one-time secret that allows the user to reset their password.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Friday, February 26, 2016 1:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Management Policy & Standards I hope this isn't off topic, but how does password self-service work withthesepolicies and standards? With the proliferation of social media, it's verydifficultto come up with truly secure security questions. For an alternate emailtheownership of that off-campus address is unverifiable. There is also the question of requests to the help desk for passwordresets. Inperson we ask for identification, but over-the-phone resets have the same "secure question" issue that the self-service reset has. Asking for DOB or address is way too easy to impersonate. How are you verifying account ownership? These are some of the practical matters with passwords we are strugglingwith.A super secure password with good policies are no help if a little social engineering can get account access the "proper" way. Thomas Carter Network & Operations Manager Austin College
Attachment:
smime.p7s
Description:
Current thread:
- Re: Password Management Policy & Standards, (continued)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Password Management Policy & Standards Carlos Lobato (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Thomas Carter (Feb 26)
- Re: Password Management Policy & Standards Jones, Mark B (Feb 26)
- Re: Password Management Policy & Standards Thomas Carter (Feb 26)
- Re: Password Management Policy & Standards Jones, Mark B (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)