[unisog] Password Reset Procedures - How do you do it?

vijay at ericavijay.net vijay at ericavijay.net
Sun Jun 7 05:34:47 GMT 2009


Hi all,

I dont know how popular is using text message / SMS or phone system to do this as a handshake method for this.  We have implemented a similar system for customers of IT admins who are managing servers - yes they are growing. This is to get a temp one time passcode and an authorization code.  Online authorization code is displayed on the screen for the user to save, the passcode is  sent by text message / SMS only. The authorization code lasts only one hour.

It is a little complex perhaps for generic users, but for IT admins (whose number is growing), it is a good starting place to manage their access to servers (and VPN) through this system.

Regards
Vijay 


  ----- Original Message ----- 
  From: John Grover 
  To: UNIversity Security Operations Group 
  Sent: Saturday, June 06, 2009 4:22 PM
  Subject: Re: [unisog] Password Reset Procedures - How do you do it?


  Randy,

  Here at UMS we have a self-service page (that fac/staff and students can use) to do password resets via user generated questions and answers. We need some retooling in that area and in particular I don't think the user generated questions turned out to be such a good idea.

  There is a discussion right now on the educause IDM list about password distribution and service that you may find helpful - http://listserv.educause.edu/cgi-bin/wa.exe?A0=IDM

  One idea I got from it that I hadn't considered before is that the questions should be opinion based because it may be harder for me to know your opinion of something than to know a fact about you. 

  John Grover
  Assoc. Director, Systems and Operations
  University of Maine System



  On Fri, Jun 5, 2009 at 2:34 PM, randy marchany <marchany at vt.edu> wrote:

    Sorry to bother everyone as I know you have busy schedules.  I’m
    trying to do some checking on password resets.  Specifically, if a
    user forgets their password, do you allow them to answer secret
    questions and set a new password online?  Do you have specific
    procedures, policy, etc. on what occurs if a user (faculty, staff,
    student) forgets their password? If so, where can we find them online?
    Thanks.

    Randy Marchany
    marchany at vt.edu

    _______________________________________________
    unisog mailing list
    unisog at lists.dshield.org
    https://lists.sans.org/mailman/listinfo/unisog





------------------------------------------------------------------------------


  _______________________________________________
  unisog mailing list
  unisog at lists.dshield.org
  https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20090607/748d925f/attachment.htm 


More information about the unisog mailing list