Re: Password resets

["Barton, Robert W." <bartonrt () LEWISU EDU>]

We modify this a little.


-        We do have a SSPR tool that we make students setup during orientation week (the SSPR is part of our SSO).

-        A password reset may be initiated by email, or ticket, but they only may continue after we call the person 
back on their primary phone number in the ERP.  If a call initiates this, we verify the phone number used vs the ERP.

-        We verify 3 of 6 different designated fields from our ERP, before setting somebody’s password (phone number 
used is usually one of those fields).

-        Our levels are –
Level 1 – Students - All tech personnel.
Level 2 – Employees may only be reset by full-time tech personnel (leaves out student workers)
Level 3 – Any special accounts, or management only can be done by network staff

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Wasson
Sent: Tuesday, August 01, 2017 3:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password resets


  1.  We allow password reset requests via telephone
  2.  Individuals are required to confirm 3 pieces of individual identifying information.
  3.  We have 3 levels of password reset permission.

     *   Level 1 - Employees that deal directly with students (registration, financial aid, records, advising, etc) 
have the ability to change student passwords, but not employee passwords.
     *   Level 2 - Employee passwords can only be changed by help desk personnel or IT staff.
     *   Level 3 - IT staff passwords can only be changed by other IT staff members.

  1.  Temp passwords are verbally given if the individual is on the phone.
Dan





Dan Wasson
Director Systems & LAN Management
Northwestern Michigan College
231-995-1164
dwasson () nmc edu<mailto:dwasson () nmc edu>

Don't be a scam victim - NMC and other reputable organizations will never use email to request that you reply with your 
password, social security number or confidential personal information.

On Tue, Aug 1, 2017 at 10:22 AM, McClenon, Brady <Brady.McClenon () oneonta edu<mailto:Brady.McClenon () oneonta edu>> 
wrote:
I’m curious as to how other institutions handle user password resets when self-service mechanisms fail or options are 
exhausted.  Specific questions I have are:


  1.  Do you allow reset requests over the phone, or require they be done in person?
  2.  How do you verify identity over the phone or in person?
  3.  Who at your institution is empowered to perform password resets?
  4.  How do you deliver the new/temp password to the user?


Thanks,


Brady McClenon
IT Security Administrator
ITS – IT Security
SUNY Oneonta




This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.