[unisog] Password Reset Procedures - How do you do it?

Adam Schumacher adamschumacher at creighton.edu
Mon Jun 8 15:30:14 GMT 2009

We have developed an in-house system that requires a person to answer
pre-defined security questions, and have access to a secondary email account
or a mobile phone capable of receiving SMS.  This provides two factor
authentication before a user is allowed to reset their password.  This
process replaces an old one involving needing an ID card and the password
being set with last 4 of ssn.

What we are working on now, is changing the processes so that accounts are
created with a random password and set to disabled until the user logs on
with a one time password (that is given in person, or sent via USPS) and
configures his/her security questions and alternate contact info.

On 6/5/09 1:34 PM, "randy marchany" <marchany at vt.edu> wrote:

> Sorry to bother everyone as I know you have busy schedules.  I¹m
> trying to do some checking on password resets.  Specifically, if a
> user forgets their password, do you allow them to answer secret
> questions and set a new password online?  Do you have specific
> procedures, policy, etc. on what occurs if a user (faculty, staff,
> student) forgets their password? If so, where can we find them online?
> Thanks.
> Randy Marchany
> marchany at vt.edu
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog


Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!



= 1a72637cf94189654ab1a827520a5e41738f41b0

More information about the unisog mailing list