corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » Best Practise for Password Recovery


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author Best Practise for Password Recovery
Kyle T
Premium Member

Avatar

Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
16th May 12 at 09:50   View Garage View User's Profile U2U Member Reply With Quote

I'm looking at configuring a self service portal for our international users so they can change their AD password and/or unlock it when I'm in bed.

We've got a tool to do the job, and it's all setup and waiting to be polished and released to our users - but I'm stumbling on the security questions. The default ones seem way too easy with stuff like Facebook available to research the relevant information - so I'm looking for some best practises or good examples of questions.

My imagination sucks, so if anyone can suggest something I'd appreciate it. Google simply suggests "Don't bother with self service question/answer authentication" but without pushing out RSA tokens and stuff (a project which is further down the line) I can't see an alternative.


Lotus Elise 111R

Impreza WRX STi
Laney
Member

Registered: 6th May 03
Location: Leeds
User status: Offline
16th May 12 at 09:53   View User's Profile U2U Member Reply With Quote

I'm no expert, but I'm going to guess at using non-current information is probably safest, based on the fact it's not normally available on places like Facebook.

First teacher, first car, first street name?
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
16th May 12 at 11:13   View User's Profile U2U Member Reply With Quote

First direct makes you choose a memorable location which I've always thought to be a good idea.
ed
Member

Registered: 10th Sep 03
User status: Offline
16th May 12 at 11:39   View User's Profile U2U Member Reply With Quote

Best practice? Don't use secret questions and answers. The only way to do it is by sending out a single use token with a short expiry time which will allow the user to reset their password. Sending out a single use password is another way to do it - you can give it short expiry time too.
John
Member

Registered: 30th Jun 03
User status: Offline
16th May 12 at 11:58   View User's Profile U2U Member Reply With Quote

How could you do that without texting to their phone (expensive and relatively complicated to set up) or sending to a colleague, which is just as insecure.

Everyone will probably know everyone else's password anyway so a secret question is probably adequate security.
ed
Member

Registered: 10th Sep 03
User status: Offline
16th May 12 at 12:04   View User's Profile U2U Member Reply With Quote

Just read portal and missed the active directory bit. Assumed it was a web based system - oops.
Kyle T
Premium Member

Avatar

Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
16th May 12 at 12:54   View Garage View User's Profile U2U Member Reply With Quote

Hmmm I could configure it so that users are prompted to write their own questions and answers... but that won't really fix anything I guess when I start getting calls at 2am...

"I've forgotton what my favourite colour was 6 months ago"


Lotus Elise 111R

Impreza WRX STi
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Offline
16th May 12 at 14:01   View Garage View User's Profile U2U Member Reply With Quote

I always try and pick the obscure secret question, then forget it.

Problem is, the stronger it becomes, the higher the likelihood is that it'll be forgotten. Much like a good password.

What about relaxing the policies on account lockouts?
Kyle T
Premium Member

Avatar

Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
16th May 12 at 14:40   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Ian
What about relaxing the policies on account lockouts?


That was my first suggestion, but it got shot down - apparently our current policies are too relaxed as it is...


Lotus Elise 111R

Impreza WRX STi
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Offline
16th May 12 at 15:30   View Garage View User's Profile U2U Member Reply With Quote

You got any HR data? Like national insurance number, bank account etc.
Kyle T
Premium Member

Avatar

Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
16th May 12 at 17:25   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Ian
You got any HR data? Like national insurance number, bank account etc.


I thought about employee number, it's something which goes on each payslip and it's referenced whenever you book a holiday or whatever - but many of the users are contractors, and they don't have such a number.

I've fired it back to my boss now tbh, let him decide whether we want some easy questions or if he wants them more complex - he can think of them by himself


Lotus Elise 111R

Impreza WRX STi
John
Member

Registered: 30th Jun 03
User status: Offline
16th May 12 at 17:33   View User's Profile U2U Member Reply With Quote

Anywhere we've put a stricter password policy in place it's caused me more work resetting the password every 3 months to something that circumvents the policy anyway.
Kyle T
Premium Member

Avatar

Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
16th May 12 at 17:34   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by John
Anywhere we've put a stricter password policy in place it's caused me more work resetting the password every 3 months to something that circumvents the policy anyway.


Same, and I agree it's just a massive pain In the ass.




Lotus Elise 111R

Impreza WRX STi
Wrighty
Member

Registered: 28th Feb 04
Location: Howden
User status: Offline
16th May 12 at 19:19   View User's Profile U2U Member Reply With Quote

6 digit pin codes? would intergrate with rsa tokens later down the line too

 
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
password recovery MarkW Geek Day 3 643
31st Jul 06 at 17:34
by abdus
 
aaarrrghhhh password help needed Dave A Geek Day 8 865
5th Feb 07 at 19:47
by Jules
 
Encrypted File Password Recovery Mistamist Geek Day 3 278
5th Mar 09 at 16:47
by willay
 
Enter user HDD password! UPDATED Jamie-C Geek Day 29 921
9th Jun 10 at 21:10
by Jamie-C
 
Outlook Express - Password Retrieve? Whittie Geek Day 14 334
1st Mar 12 at 20:40
by Whittie
 

Corsa Sport » Message Board » Off Day » Geek Day » Best Practise for Password Recovery 29 database queries in 0.0158670 seconds