For internal Emory applications, it is often possible to provide a help desk service that assists users when they need to reset their passwords. However, for public facing apps, this is often not possible due to the limited amount of information we have to authenticate these users. The large potential user base and the limited resources available to provide password reset support is also a factor. Therefore, public facing apps must provide a means by which users can reset their password by themselves with no help/service desk interaction.
The Information Security group has established policies and guidelines to help accomplish self-service password reset. This involves a combination of private security questions and strong password requirements that can be used by the application to provide the user a means to change their password should they ever need to.
During registration a user is asked to provide answers to a configurable number of security questions. Information Security has a set of 36 questions that are used for internal apps. For many public facing apps, the audience may drive the final list of questions that are used during this process. The application owners work with Information Security to finalize the list of questions that will be used. For internal apps, users must provide answers to six of these questions during registration and they must correctly answer two questions when they wish to reset their password. Again, for public facing apps, the number of answers required during registration as well as the number of answers required during a password reset may change based on the audience of the application.
Using the WebEase web and mobile app(s) as an example, WebEase has 19 total of potential questions. During registration, a user must provide answers to two of those questions. When a user resets their password, they must provide a correct answer to one of those questions. The 19 questions and the number of answers needed during registration and during a password reset are details that were negotiated between the application owners and Information Security and that negotiation was based on the audience of these particular apps (people who are managing their Epilepsy condition with these applications).
Below is the list of 36 questions are are currently used for internal apps (provided by IT Information Security):
- Who was your 1st grade teacher?
- What is your grandmother's maiden name (first last) on your mother's side?
- What is the maiden name (first last) of the mother of your spouse/significant other?
- What is the name of your best friend from childhood (first last)?
- What is the full name (first last) of the first person you kissed?
- What is your oldest sibling's full name (first middle last)?
- What is the full name (first last) of the oldest sibling of your spouse/significant other?
- What was the make and model of the first car you owned?
- Who was your favorite teacher in high school?
- Who was your sports hero when you were in elementary school?
- What is your mother's full maiden name (first middle last)?
- What is the longest book you've ever read?
- What is the worst book you've ever read?
- Who was your 2nd grade teacher?
- Who was your 3rd grade teacher?
- What is your grandmother's maiden name (first last) on your father's side?
- Who was your childhood hero?
- What was the name of your first stuffed animal?
- What was the first concert you attended?
- What was your favorite place to visit as a child?
- What was the phone number of your best friend from childhood including area code? (e.g. 000-000-0000)
- What was the home street address of your best friend from childhood?
- What is your oldest cousin's first and last name?
- What is the full name of your oldest niece (first last)?
- What is the full name of your oldest nephew (first last)?
- What was the first job you held?
- What was the full name (first last) of the best man at your wedding?
- What was the full name (first last) of the maid of honor at your wedding?
- What was the name of your first pet?
- What is the full name (first last) of your father's oldest nephew?
- What is the full name (first last) of your first boss?
- Who was your favorite teacher in elementary school?
- Who was your least favorite teacher in elementary school?
- Who was your least favorite teacher in high school?
- What was your favorite restaurant in/near the hometown you grew up in?
- Who is the most famous person you've ever met?
The following information is taken from the IT Information Security wiki that describes the minimum requirements for a strong password at Emory:
- Passwords must be between 9 and 30 characters long
- Passwords must contain at least 2 alphabetic characters (A-Z, a-z), at least 2 non-alphabetic characters (spaces, numerals, punctuation and/or special characters appearing on a standard U.S. PC keyboard)
- The userid/netid cannot be part of the password, and the password cannot contain more than 2 consecutive characters that are identical
These are the minimum requirements and are used for both internal and public facing applications. Depending on the audience of a public facing app, it is possible that some negotiation may be possible for this topic as well but so far, we have not had the need to stray from these minimum requirements.