John, Jon, John et al,
We do this as well, that is three pieces of data allows them to reset
the password (even after expiration). I can't imagine if we in IT, or
elsewhere within the institution, would have to field those calls to
reset them for the students without this automation. I'd have to double
my staff (possibly an exaggeration).
Jeffery A. Le Blanc, MBA
VP for Information Technology
University of Northwestern Ohio
1441 N. Cable Rd.
Lima, OH 45805
[log in to unmask]
From: John Beck [mailto:[log in to unmask]]
Sent: Wednesday, April 25, 2007 2:43 PM
To: [log in to unmask]
Subject: Re: [CIO] Releasing passwords
How many Johns does it take to carry on a conversation? :-)
We do what Jon suggested - we have a web interface that validates the
individual based on a core set of info and allows them to reset their
password. This permits the password resetting to take place even after
the password has expired (which happens during the summer or when
students are overseas, etc.).
I hear the concern that the core set of identification info may not be
sufficiently secure. We use three different info items and hope/believe
that's enough. We may look further into that.
Give a person a fish and you feed them for a day.
Teach that person to use the Internet and they won't bother you for
John L. Beck
Director, Computer Services
St. Norbert College
100 Grant Street
De Pere, WI 54115-2099
E-Mail: [log in to unmask]
Phone: (920) 403-3866
Fax: (920) 403-4084
Jon E. Mitchiner wrote:
> What is your definition of "release"? Does this mean that you would
> be sharing the password back with the user? If so, this could be
> potentially dangerous. Some users may use the same password for a
> number of services, such as at their University, for their Yahoo
> e-mail account, and so forth.
> I think a safer mechanism would be to reset the password. If the
> legal user notices they can't log into the system anymore, they will
> know someone changed their password.
> Jon E. Mitchiner
> ITS Director
> (202) 651-5300
> (202) 651-5477 (Fax)
> John Davis wrote:
>> We can easily build a web-page that asks for various items such as
>> SSN, ERP ID, Birthdate, etc. to validate the person know that
>> information in order to release a "password". I have staff members
>> thinking that this is not secure enough.
>> Can some of you give me an idea how you release passwords to an
>> individual who has forgotten their password? Any other information
>> will be appreciated.
>> John R. Davis, CIO E-mail: [log in to unmask]
>> Information Technology http://www.marietta.edu/~davisj
>> Marietta College
>> 215 5th St Voice: (740) 376-4390
>> Marietta, OH 45750 Fax: (740) 376-4896
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.