Educause Security Discussion mailing list archives

Re: Self-Service Password Reset Practices

From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Mon, 25 Jul 2005 13:45:25 -0500

We're trying to reduce and/or eliminate phone reset requests to the help
desk, requiring them to show up in person (faculty/staff/students) or
use the self-service solution.  We're using a product that integrates
well with AD and is affordable from Anixis (www.anixis.com
<http://www.anixis.com/> ), http://mypw.tcu.edu <http://mypw.tcu.edu/> .
We gather enrollment data and then email those who haven't enrolled in
the system.

 

The problem we found with doing self-service based on the criteria you
list below is that it is to easy to obtain, particularly in the student
ex-boy/girlfriend scenario.  

 

As for complexity, there is an excellent PDF out there (google on
Cambridge mnemonic password study) that can help you argue that
complexity does not equal hard to remember.

 

Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971

________________________________

From: Russ Wade [mailto:Russ.Wade () WICHITA EDU] 
Sent: Monday, July 25, 2005 1:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-Service Password Reset Practices

 


Hello, 

We at Wichita State University are in the early stages of implementing
an Identity Management system.  We will use a single sign-on to
authenticate access to multiple applications.  This will include, in
part, SCT Banner for back office and student use.  Our email system will
use this same sign-on and be equally affected by lockouts and password
changes. 

We are using strong passwords and anticipate a high volume of password
reset requests. 

We are interested in ways others have found practical and secure for a
self-service password reset function. 

We are considering requiring the following information for password
resets: 

        First Name 
        Last Name 
        SSN 
        Date of Birth 
        Current Mailing Zip Code 

We would send an email notification to individuals when their password
is reset, but their first indication of an intruder password reset would
be the inability to log on. 

Is this generally considered sufficient or do most institutions include
some additional form of security, such as a challenge question? 

Thanks, 

Russ 
  

Russ Wade, 

SCT Banner Security Specialist 

Wichita State University 

University Computing and Telecommunications Services 

1845 Fairmount 

Wichita, KS  67260-0098 

Email:   Russ.Wade () Wichita edu 

Office:  (316) 978-3859 

Mobile: (316) 312-0185 

Fax:     (316) 978-3894

Current thread:

Self-Service Password Reset Practices Russ Wade (Jul 25)
- <Possible follow-ups>
- Re: Self-Service Password Reset Practices Lucas, Bryan (Jul 25)
- Re: Self-Service Password Reset Practices Chad McDonald (Jul 25)
- Re: Self-Service Password Reset Practices clementz.7 (Jul 25)
- Re: Self-Service Password Reset Practices Cal Frye (Jul 25)
- Re: Self-Service Password Reset Practices Gary Dobbins (Jul 26)
- Re: Self-Service Password Reset Practices John Kristoff (Jul 28)
- Re: Self-Service Password Reset Practices Scott Fendley (Jul 28)