Educause Security Discussion mailing list archives
Re: Password Expatriation notification
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Mon, 23 Aug 2010 19:26:51 -0600
Notifications across a campus or any large organization is becoming a challenge, particularly when you need quick acknowledgment and response. We looked at the information that came out of the Virginia Tech attacks a few years ago and other emergency events, and quickly spotted the effects of technology and generations on overall notification effectiveness. A key mechanism in play is transgenerational human factor effects on the notification processes and procedures.
From a technology perspective, we note that generations, which were defined
along 10 to 15 year periods, must now be defined as 5 to 7 years or less, with each having their primary/preferred communication methods and technologies. So, 'older generations' in the 38-45 year old range are accustomed to pager technologies, those in the 30-37 rely on e-mails to a greater degree than those in the 23-29 range, who grew up with cell phones. Texting is much more prevalent among those 22 and younger, most of whom have little or no memory of corded phones. Those 22 and younger also do not remember a time when cell phones were not readily available. So, when designing an effective notification system for time sensitive events, it is wise to consider transgenerational human factor effects by assessing the generations within the community and ensuring that notifications go out using the various preferred/popular methods and technologies in use. A related effectiveness factor relates to the methods and processes that can cut through the social e-chatter, which leaves people oblivious to traditional attention grabbing queues. By the way, if a vendor tells you that they have a long term solution, consider it carefully and make sure that the preferred system is inherently flexible and extensible. Each new e-generation will bring along new technologies and social use rules, meaning that notifications systems do not work well when approached from a static point in time design perspective. Instead, a process needs to be in place to reassess and validate assumptions, and make adjustments as conditions change. Sorry for the long epistle, but this is an important are that we often find lacking, Regards, Ozzie Paez SSE/SAIC 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dergenski, Todd A. Sent: Monday, August 23, 2010 8:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification This very topic came up in a meeting this morning. Our solution is multiple avenues of notification. We send mails (30, 14 and 7 days out) and also have the lab machines prompt a notification under 30. Additionally, we will be modifying our single sign on to display a notification page under 30 and do a redirect under 3. Messages in our portal are also planned, but are hold until we can come up with more content. They don't like a dedicated box that is empty most of the time. I would recommend to find a service that everyone logs into regularly and see if you can get the message there. Todd Dergenski Old Dominion University Senior Security Administrator 4700 Elkhorn Ave - Room 4300 Norfolk, Va, 23529 USA (757) 683-4301 tdergens () odu edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: Saturday, August 21, 2010 1:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification On 18/08/2010, at 6:44 AM, James Farr '05 wrote:
We recently implemented a policy where the users receives an email 30 days before the password is set to expire. Sure enough people thought this
was
a phishing attempt. However, since we have some off campus users that
may
never step foot on campus email seemed to be the only way to notify everyone.
I have had this problem notifying people about possibly compromised credentials too. After a bit of toing and froing we managed to convince the keepers of the university home page to add a password change link to the list of quick links on www.auckland.ac.nz. Now we can tell folk how to change password easily without giving any urls. We will use the same technique when we start expiring passwords later this year. Russell
Current thread:
- Re: Password Expatriation notification, (continued)
- Re: Password Expatriation notification James Farr '05 (Aug 19)
- Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification Morrow Long (Aug 19)
- Re: Password Expatriation notification Allison Dolan (Aug 19)
- Re: Password Expatriation notification Ullman, Catherine (Aug 19)
- Re: Password Expatriation notification James Farr '05 (Aug 19)
- Re: Password Expatriation notification Russell Fulton (Aug 20)
- Re: Password Expatriation notification Dergenski, Todd A. (Aug 23)
- Re: Password Expatriation notification Ozzie Paez (Aug 23)
- Back on topic.... Re: [SECURITY] University credentials used by third parties Flynn, Gary - flynngn (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Joel Rosenblatt (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Guy Pace (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties David L. Wasley (Aug 24)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)