Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Wed, 15 Apr 2009 13:40:31 -0500
Leon- List users is easy, but rights is pretty wide open. What rights are you looking to learn about? Thanks, Brian Desmond brian.desmond () morantechnology com c - 312.731.3132 Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/> http://www.briandesmond.com/ad4/ Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian> https://mvp.support.microsoft.com/profile/Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Leon DuPree Sent: Tuesday, April 14, 2009 8:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Challenge/response questions? Does anyone have sample script for Active Directory that would list users and rights? Be great if I could get some kind of error handling with it in case it does not work on a server. Let me know if you have any questions why? (I am not interested in rinventing the wheel :) Leon DuPree University of Michigan LSA Intern On Mon, Apr 13, 2009 at 12:23 PM, Schumacher, Adam J <ADAMSCHUMACHER () creighton edu> wrote: We use security questions plus having access to a secondary email account or cellphone capable of receiving text messages to reset passwords. We provide 15 possible questions to choose from, of which they must select three (and answer a random selection of 2). Best practices for questions would involve things that aren't likely to change over time (excludes "whats your favorite _____?" type questions), things that aren't too easy to guess or find out, and have high entropy (lots of possible answers). Some examples of decent questions might include: What is your oldest sibling's birthday? What is the address of the first house you lived in? What hospital where you born at? What was the color of your first car? What was the make/model of your first car? On 4/10/09 12:57 PM, "Witmer, Robert" <r.witmer () SNHU EDU> wrote:
There must be a better way! We have a customized single sign on solution
and
are looking at self service password resets from a web page. Everything
after
authentication has been worked out. Currently we are thinking of using challenge/response type questions to verify account ownership. However, either most of the information is available on line (mother's maiden name
=
genealogy sites) or includes personally identifying information (SSN last
4)
that we don't collect and don't want to use. Anyone have a better idea? If not, anyone have better challenge/response questions? Regards, Bob
sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0 -- EIM Consulting PO Box 320822 Flint Township, MI 48532 Leon DuPree B.S MBA Chief Security Consultant Phone: 810-569-6427 Fax: 270- 447-3872
Current thread:
- Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)