[unisog] Password Reset Procedures - How do you do it?

vijay at ericavijay.net vijay at ericavijay.net
Sun Jun 7 05:34:47 GMT 2009

Hi all,

I dont know how popular is using text message / SMS or phone system to do this as a handshake method for this.  We have implemented a similar system for customers of IT admins who are managing servers - yes they are growing. This is to get a temp one time passcode and an authorization code.  Online authorization code is displayed on the screen for the user to save, the passcode is  sent by text message / SMS only. The authorization code lasts only one hour.

It is a little complex perhaps for generic users, but for IT admins (whose number is growing), it is a good starting place to manage their access to servers (and VPN) through this system.


  ----- Original Message ----- 
  From: John Grover 
  To: UNIversity Security Operations Group 
  Sent: Saturday, June 06, 2009 4:22 PM
  Subject: Re: [unisog] Password Reset Procedures - How do you do it?


  Here at UMS we have a self-service page (that fac/staff and students can use) to do password resets via user generated questions and answers. We need some retooling in that area and in particular I don't think the user generated questions turned out to be such a good idea.

  There is a discussion right now on the educause IDM list about password distribution and service that you may find helpful - http://listserv.educause.edu/cgi-bin/wa.exe?A0=IDM

  One idea I got from it that I hadn't considered before is that the questions should be opinion based because it may be harder for me to know your opinion of something than to know a fact about you. 

  John Grover
  Assoc. Director, Systems and Operations
  University of Maine System

  On Fri, Jun 5, 2009 at 2:34 PM, randy marchany <marchany at vt.edu> wrote:

    Sorry to bother everyone as I know you have busy schedules.  I’m
    trying to do some checking on password resets.  Specifically, if a
    user forgets their password, do you allow them to answer secret
    questions and set a new password online?  Do you have specific
    procedures, policy, etc. on what occurs if a user (faculty, staff,
    student) forgets their password? If so, where can we find them online?

    Randy Marchany
    marchany at vt.edu

    unisog mailing list
    unisog at lists.dshield.org


  unisog mailing list
  unisog at lists.dshield.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20090607/748d925f/attachment.htm 

More information about the unisog mailing list