[OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2

Justin Hopkins justin at mobiusconsortium.org
Fri Aug 3 10:11:18 EDT 2012


>>> Because resetting someone's password to something that is basically
>>> public information, their phone number, is asking for accounts to be
>>> hijacked.

I complete agree - the sad thing is that many many libraries do this. My local public library uses birthdate by default. Some libraries use no password at all - you just enter the barcode and you're in.

To suggest something specific I'll say that my favorite way of handling this is to not set an initial password at all. Users without a password use the password reset tool. A slight wording change to something like "Request a new password" should be sufficient to clue them in. 

One issue I see with the whole password reset issue is that if you don't want to reset to a known value (like phone number), which is always going to be insecure, you depend on some kind of out of band communication method… usually email. We've talked to quite a few small libraries and many of their patrons don't have email addresses - or at least don't have them on their patron record. How can you handle password resets for these patrons without involving library staff and still maintain the security of their account? 


Regards,
Justin Hopkins
IT & Web Services Coordinator
573-808-2309
justin at mobiusconsortium.org




On Aug 3, 2012, at 8:50 AM, Thomas Berezansky wrote:

> All of the above.
> 
> Personally, I disagree with the setting existing to begin with, and think that the initial passwords should be much more complicated than just digits.
> 
> Thomas Berezansky
> Merrimack Valley Library Consortium
> 
> 
> Quoting Bob Wicksall <bwicksall at pls-net.org>:
> 
>> <Snip>
>> 
>>> Because resetting someone's password to something that is basically
>>> public information, their phone number, is asking for accounts to be
>>> hijacked.
>> 
>> If that is the case you could argue that the setting shouldn't exist in the first place.  What is worse?  A database full of users who have never changed their password from the default phone number or a few manually reset passwords?
>> 
>> Bob Wicksall
>> Systems Administrator
>> 
>> Pioneer Library System
>> 2557 State Rt. 21
>> Canandaigua, New York  14424
>> 
>> 
>> ----- Original Message -----
>>> From: "Jason Stephenson" <jstephenson at mvlc.org>
>>> To: open-ils-general at list.georgialibraries.org
>>> Sent: Friday, August 3, 2012 9:27:00 AM
>>> Subject: Re: [OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2
>>> 
>>> Quoting Thomas Berezansky <tsbere at mvlc.org>:
>>> 
>>> > All future resets would still be random.
>>> 
>>> Because resetting someone's password to something that is basically
>>> public information, their phone number, is asking for accounts to be
>>> hijacked.
>>> 
>>> 
>>> --
>>> Jason Stephenson
>>> Assistant Director for Technology Services
>>> Merrimack Valley Library Consortium
>>> Chief Bug Wrangler, Evergreen ILS
>>> 
>> 
> 
> 



More information about the Open-ils-general mailing list