This space contains documentation for a project to provide online tools that will allow Virginia Tech users to reset their passwords.
Contents
4Help Password Reset Costs and Counts
IT Project Management Discussion May 7, 2009
Links to Other Resources for Self-Service Password Tools
PID Account States
Requirements Analysis
- SSPR Requirements for Phase II - Hokies passwords
- SSPR Requirements for Phase III - Oracle passwords
- SSPR Requirements for Phase I - PID passwords
Self-Service Draft Broad Timeline 31July 2008
Self Service eToken Password Reset Analysis
Self-Service Password Reset Meetings
- Pre-Phase I - Self-Service Password Reset project background & history
- SSPR Meetings Phase II - Hokies passwords
- SSPR Meetings Phase III - Oracle Passwords
- SSPR Meetings Phase I - PID passwords
Self-service password reset products
Self-Service Password Reset Project Documentation
- SSPR Documentation for Phase II - Hokies passwords
- SSPR Documentation for Phase III - Oracle passwords
- SSPR Documentation for Phase I - PID passwords
6 Comments
Phil Benchoff
Dec 13, 2007I'd suggest considering an e-mail signed with a VT certificate as sufficient to change a PID or Hokies password. The I&A standards for the VT cert exceed both of those accounts. I suppose the same could be said for SSL client cert login with a VT cert.
Marc DeBonis
Feb 04, 2008I added an attachment to this thread with a condensed commentary from David Alexander of ohio.edu, he also mentions:
You may want to post this to the Educause IdM email list - IDM@LISTSERV.EDUCAUSE.EDU. I would be interested to see what responses you get there.
You may also want to take a look at the IdM list archives:
<http://listserv.educause.edu/cgi-bin/wa.exe?A0=idm>
I attached some prior research I did on this topic which includes stuff from the IdM list.
Marc DeBonis
Aug 20, 2008How I Stole Somebody's Identity: http://www.sciam.com/article.cfm?id=anatomy-of-a-social-hack
(Ultimately they used a weak password reset process from the victims .edu to start the ball rolling)
Marc DeBonis
Aug 29, 2008Why we should hash at least the answers to the secret Q&A pairs...
Bank Changes Man's Password After They Realize It Insults Them
http://techdirt.com/articles/20080828/0938222122.shtml
Greg Kroll
May 07, 2009From the IT Security Office on behalf of Wayne Donald:
I recognize Identity Management Systems (IMS) as part of the IT Security Office (ITSO) is the sponsor for the effort being put forth to allow users to reset their password online. I fully understand as the number of users at Virginia Tech continues to increase and resources decrease that service units need to find better ways to address user needs.
That being said, as the IT Security Officer I do feel this process of allowing an online self-service password reset for the PID adds an element of risk (exposure) that does not currently exist. The PID at Virginia Tech is basically the key to everything - employment records, student data, financial data, individual tax information, and access to data covered by regulatory agencies at the State and national level. It's not just an email service that could get compromised, but access to sensitive data that could put the university (and individuals) in a difficult situation.
If I recall correctly from an earlier meeting, if an individual calls the help desk now to have a password reset they must provide three (3) pieces of information that can be verified with the DAT. One of those is the VT ID number and if that is not known they must show up in person to have the password reset. It is my understanding that with the online reset procedure there will be secret questions that the user must answer to go forward. It has been published in a number of articles that a smart attacker will go after the weakest link, and in the case of password resets, the questions have often been identified as the weakest link. I hope the implementation of such questions will take this into consideration as planning goes forth. Also, I don't recall if this has been discussed, but perhaps we should limit the number of resets per week (like one). I think it would also be reasonable to continue looking at other authentication methods for the online reset tool.
When this online service is implemented I would ask that some metrics be created in order to monitor the process. For example, the number of password resets by day/week/month, the number of repeated password resets, number of rejections, etc. I think having such metrics will be important to evaluate the process, and to also see if there are risks that might need to be addressed.
Please know the IT Security Office will provide additional insight into this as necessary.
Mary Dunker
Jul 07, 2009Some references from an Educause SECURITY listserv thread in April, 2009:
http://www.fishnetsecurity.com/sites/com.fishnetsecurity/downloads/Forgot_Password_Best_Practices_v2.0.pdf
Here are some more resources (though these days I hate providing
PDF links):
Designing Authentication Systems with Challenge Questions
http://hornbeam.cs.ucl.ac.uk/hcs/teaching/GA10/lec5extra/ch08just.pdf
Tips for Avoiding Bad Questions
http://securityps.infosecmedia.com/whitepapers/TipsforAvoidingBadQuestions.pdf
Good Security Questions web site
http://goodsecurityquestions.com\\