Educause Security Discussion mailing list archives
Re: Self Service Password Resets
From: Joel Murphy <jmurphy () BUFFALO EDU>
Date: Wed, 12 Aug 2009 09:37:01 -0400
One thing we (at the University at Buffalo) implemented that I think is a must for self-service password reset is self-service lockout. If you can't "guess" the answers by the third try, the self-service question logon is locked. This significantly reduces the likelyhood of simply guessing the answers. Last month, we had 587 self service resets, and 62 lock outs, so I think it works without inordinately inconveniencing users. (lock-outs simply require a standard help-desk password reset call.) Someone also mentioned not indicating which answers are wrong on a wrong guess (which also helps prevent guessing). At UB we also require users to provide one question and answer of their own. Personally, I don't think the actual questions are as important as the policies around them. Joel randy marchany wrote:
It seems odd to reference Wikipedia but in this case, it merits inspection. I'm not a fan of any online password reset process that relies on "secret questions". Go to Wikipedia and search for the following: 1. "Password strength" - nice discussion on various issues with human generated passwords. There is a nice section on 'human generated passwords". 2. "Common Surnames" - reduces the effectiveness of the "what's your mother's maiden name" type of questions. They're listed by country. 3. "Common US Place name" - to address the "where's your birthplace" type questions 4. You get my drift here.... Also, you can google for "common pet names" and get a nice set of sites that list most popular pet names (Dogs - 1. Max, 2. Jake, 3. Buddy,.......) I would also read Bruce Schneier's articles on password resets. In other words, there are a number of resources that hackers use to defeat the "secret question" defense. The Sarah Palin email incident is proof of that. The most important questions to ask when deciding to implement an online password reset process are: 1. What is the impact of a fraudulent password reset? a.Does it just affect their email privs? b.Does access to the account affect personal items like classes or work benefits? If the answer is yes to 1b, I'd strongly consider NOT doing an online password reset process. It's that old risk analysis thing....what risk is your organization willing to accept? Randy Marchany VA Tech IT Security Office
Current thread:
- Self Service Password Resets Anand S Malwade (Aug 10)
- <Possible follow-ups>
- Re: Self Service Password Resets Ken Connelly (Aug 10)
- Re: Self Service Password Resets Anthony Maszeroski (Aug 10)
- Re: Self Service Password Resets randy marchany (Aug 10)
- Re: Self Service Password Resets Dennis Meharchand (Aug 10)
- Re: Self Service Password Resets Joel Murphy (Aug 12)
- Re: Self Service Password Resets Gary Flynn (Aug 18)
- Re: Self Service Password Resets Timothy Payne (Aug 18)
- Re: Self Service Password Resets Joel Murphy (Aug 24)