Re: Self-Service Password Reset Practices

[Chad McDonald <chad.mcdonald () GCSU EDU>]

I would recomend that you steer away from the SSN in your reset
requirements.  I can certainly see how that could be used for phishing.

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax


  _____

From: Russ Wade [mailto:Russ.Wade () WICHITA EDU]
Sent: Monday, July 25, 2005 2:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-Service Password Reset Practices



Hello,

We at Wichita State University are in the early stages of implementing an
Identity Management system.  We will use a single sign-on to authenticate
access to multiple applications.  This will include, in part, SCT Banner for
back office and student use.  Our email system will use this same sign-on
and be equally affected by lockouts and password changes.

We are using strong passwords and anticipate a high volume of password reset
requests.

We are interested in ways others have found practical and secure for a
self-service password reset function.

We are considering requiring the following information for password resets:

        First Name
        Last Name
        SSN
        Date of Birth
        Current Mailing Zip Code

We would send an email notification to individuals when their password is
reset, but their first indication of an intruder password reset would be the
inability to log on.

Is this generally considered sufficient or do most institutions include some
additional form of security, such as a challenge question?

Thanks,

Russ

Russ Wade,

SCT Banner Security Specialist

Wichita State University

University Computing and Telecommunications Services

1845 Fairmount

Wichita, KS  67260-0098

Email:   Russ.Wade () Wichita edu

Office:  (316) 978-3859

Mobile: (316) 312-0185

Fax:     (316) 978-3894