Re: Password Self-Service software

["Chancellor, Beth C." <ChancellorB () MISSOURI EDU>]

We put our users in password initialization jail.  They can't reset
their initial password successfully without setting up their questions.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
Sent: Tuesday, February 17, 2009 10:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Self-Service software

 

There's also the accompanying challenge of convincing current
accountholders to take the time to register themselves with this
service.

 

The one you mention below is quite clever, but one thing these schemes
all have in common is the user has to actually visit them *before* they
need the service (and to not be in such a hurry that they can give due
care to their answer choices).

 

Having it be part of new-account activation is not as hard, but how are
schools adding these to existing systems, and inspiring the user base to
register themselves?

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chancellor, Beth C.
Sent: Tuesday, February 17, 2009 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Self-Service software

 

I have been particularly enamored with something that gets away from the
user typing in answers to questions.  While our institution is not even
close to using this or something similar, I thought I'd throw it out
there.  This type of reset application seems to have lots of benefits
including eliminating key logging as a problem.

 

http://www.ravenwhite.com/iforgotmypassword.html

 

Beth

 

 

 

Beth Chancellor

Chief Information Security Officer

University of Missouri

(573)882-3503

 

 

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis
Sent: Tuesday, February 10, 2009 3:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Self-Service software

 

Hello,

 

We're wanting to implement a password self-service site for our users.  

I'm wondering what others are using. We're using AD for our back-end  

authentication. We have about 7500 students and employees and about  

20,000 alumni accounts which receive relatively casual use.

 

Here are the things that we're looking for:

 

1) Reset password using some sort of question/answer module

2) Allow pre-population of questions/answers would be desirable

3) Being able to send a one-time, expiring, password would be nice

4) Logging, logging, logging

5) We'll likely develop our own account provisioning but would like it  

to tie into this system for initial password connectivity

6) Enforcement of password rules

7) Notification to users when their password is about to expire

 

I've been looking at Password Manager from Quest but would like to  

hear suggestions from others.

 

Thanks,

Greg

 

Greg Francis

Director, Central Computing and Network Support Services

Information Technology Services

Gonzaga University

509-313-6896

francis () gonzaga edu