Honestly, I think this is pretty smart.<p>If someone has compromised your electronic systems, they can probably solve whatever electronic recovery means you've implemented, and they can probably do so on a large scale, re-compromising all the new accounts.<p>Adding an in-person step makes things harder for the attackers in two ways:<p>1: It relies on existing ID cards, which presumably the attackers can't telekinetically change while they sit in people's pockets or something.<p>2: It's hard to attack at scale. Conceivably someone could make a fake ID and pose as a staff member or something, but the same person wouldn't get away with that more than a few times before someone in the office noticed that they looked familiar. And it's slow -- humans work at a finite speed, so brute-forcing 38,000 visits to an office isn't as practical as spawning a bunch of threads to attack login sessions or something.<p>I think despite the inconvenience, this is a sane way to respond to a compromise, if your users are local and can visit an office to pull it off.<p>At a major automaker who I won't name, they have an interesting way of handling password resets: They generate a new random password for you, and send half of it by SMS to the mobile phone in your employee record. Then they email the other half to your manager. Managers have instructions that when an employee calls to retrieve this (or if the manager has a moment to call the employee first), they should spend a moment in conversation first, really make sure they recognize the employee's voice and stuff, and if there's any doubt, ask them to meet at the personnel building badging office, where the administrative folk can check IDs and stuff. It works pretty well -- it would be _very_ hard to attack this system, especially at scale.
"As an added precaution, the university computing center decided to issue new passwords for all 38,000 JLU email accounts. However, the university was unable to do this online because of a quirk of German law, whereby the German National Research and Education Network (DFN) requires, in this case, JLU students and staff to obtain their new passwords in person from the university's IT staff, using as ID card to prove their identity."
So they're just running some av software from a live system on all systems and call it a day.... Dec 8th has been a while and there's no information around which malware this actually was. If it's really a targeted attack with some previously unknown malware, I wouldn't really feel like that's sufficient.<p>Most companies have policies that require a full reinstall of infected systems or even just go ahead and replace the physical machine.
I'm a student at that university, though I don't have any contacts to the IT department or other sources of inside information.<p>I went to collect my new password already. The process was pretty smooth with only a little confusion where the queue split up alphabetically (not quite enough room, although it took place in a large gym; I guess they rightly prioritized giving the people behind the desks enough room to work).<p>It's interesting to see which systems of the university are more or less robust to the network blackout. Email is down, which has the nice side effect that people who would otherwise only communicate in written form now make calls or physical visits (as they cannot look up phone numbers on the web) to each others' offices. The library catalogue is not working, though apparently they successfully switched to a paper-based system for lending books after a few days (haven't tried it yet). The electronic payment system of the canteens appears completely unaffected. (I read on a sign recently that it is considered "obsolete" and subject to renewal – good thing they hadn't done that yet, I guess). The web platform with reading material for seminars is down. In some cases seminar presentations have to be given without slideshow projection because the designated presentation laptop got a red sticker. I don't now how labs with data on the central servers are doing (I'm in the humanities).
I thought that this is always the case. At METU when you register to the university they give you password by hand (printed inside of a letter). In case your account is compromised they block your account and you have to go to the computer center so that they give you a new password. There is no "I forgot my password" button. It is like this for at least from early 2000s. Probably from 1990s.
Does anyone know whether password+key is a supported WebAuthn use case? I don't mean whether the standard supports it (it does), but whether it's planned. I would love to use my Yubikey + PIN to log in to sites passwordlessly, but it seems that so far the only thing that anyone uses WebAuthn for is as a second factor.
Been in a similar password reset situation at a university and it’s pain!<p>I hope they implement 2fa two factor authentication since that will stop between 70-99% of password attacks.
Thing is as far as I can Google they have not identified how the network got compromised in the first place?<p>So they are issuing bootable USB sticks for scanning computers and manually providing new email (I guess University account) passwords, but how would that prevent the same thing happening again in the same unpatched way next week?