Password Reset Best Practices

Submitted by jjanssen on Wed, 03/03/2004 - 10:49. Password Reset

Higher Education

Internet2

Internet2 Middleware Initiative's MACE Directory Working Group produced Identifiers, Authentication, and Directories: Best Practices for Higher Education.

Some Highlights from the Authentication section

Use shared secrets or a positive photo ID to reset forgotten passwords.

Shared secrets are pieces of information that users provide when getting their initial passwords. The traditional shared secret is the user's mother's maiden name. Another approach is to have the user provide several pieces of information when first given a password, and then to require the user to provide some subset of this information (say, two items out of five) in order to change the password. Question-and-answer pairs also make good shared secrets.

Non CCCU Universities

Self Service Reset

Saginaw Valley State University - Successful usage of this screen requires the student to know their Login ID, the last four digits of their Social Security Number, the last seven digits of their Student ID (identified on "TheCard" as id #), and their date of birth.
The University of North Carolina at Greensboro offers a Self Service Password Reset, only asking for University ID, username, first, last, and birthdate.
The University of Tennessee has an interesting default password standard which includes some private info. If a password is forgotten it can be reset in some cases back to the default, or web forms are available which ask for University ID and a University Pin. Note, the password reset page is not ssl enabled.
University of Denver offers a Security Question for password resets.

Assisted Reset

Georgetown has a nice print and fax form as the only method for reset.
University of Tulsa requires physical presence with id.
University of Pittsburg requires < href="http://technology.pitt.edu/accounts/">physical presence with id.

Industry

Information Security Mag

An article Password Pain Relief in Information Security Mag, though a bit dated, discusses how several commercial Identity Management products help to establish self-service password resets.

Password-related help desk calls may cost as much as $30 a call, according to a Meta Group study.

PasswordCourier is typical of self-service reset products in enforcing an organization's strong password requirements while obligating the user to authenticate by answering customized challenge questions.

Password reset software generally lets users reset and change passwords from a browser, Windows client or telephone.

In addition to supporting authentication tools, such as tokens and biometrics-either out of the box or through an SDK-self-service reset solutions typically authenticate users through a series of challenge-response questions. These should be questions only the user is likely to answer correctly, such as the name of a childhood pet.

To ensure that challenge questions provide strong user authentication-especially if the questions are the only authentication to the reset tool-reset solutions typically allow admins to define the number and type of questions that must be answered.

Sun One Identity Management

The Sun One Identity Management Administrator Guide explains the Password Reset Service. The service uses challenge questions to authenticate users who have forgotten their password. The only intresting implementation was that the user can select which of the challenge questions to answer when setting them up the first time. This perhaps is an effective way of preventing bad answers, such as "I don't know" etc. Also, there is a feature that can be enabled to write the question as well as the answer. Lastly, they implement good security measures such as lockout.

Sample Questions listed are: