Re: First time/one time use default password

["Clementz, Todd" <clementz.7 () OSU EDU>]

Good Day,
We currently have a vbscript that incorporates a fixed set of characters from the student employee ID, but not the 
entire number, into the initial password based on a spreadsheet used to create the user.  This process is the same for 
each user, but it increases the complexity by someone needing the students employee ID.  This is in turn emailed to the 
students university email with setting in the email that notifies us the user has opened the information.  This initial 
email is also sent to the three ITstaff members so we are up to speed on new student account creation.

Todd Clementz
Systems Engineer
Knowlton School of Architecture
The Ohio State University
Direct Line: 614.292.8544
Helpdesk: 614.292.8612
Http://Support.knowlton.ohio-state.edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tarun 
Trivedi
Sent: Monday, November 07, 2011 3:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] First time/one time use default password

Our institution currently for new students assigns a unique Student ID Number, which is also their Login ID for the 
institution's computer network. For this Student ID first time/one time use default password is their Date of Birth. 
The new student at their first network login is prompted to change their one time default password.

Keeping in mind the authentication guidance provided under FERPA (34 CFR Part 99, from the page 74848 following 
excerpts:  "The use of widely available information to authenticate identity, such as the recipient’s name, date of 
birth, SSN or student ID number, is not considered reasonable under the regulations.")

I would appreciate your input with following:

- What are the risks associated with having widely available information like DoB as a default one time password
- What is the probability of having a breach due to initial password that is comprised of widely available information 
such as DoB
- What is the worst case if breach related to this occurs (PII compromise, fines, etc.?)
- What is your institution have in place for a first time one time use/default password process/procedure
- How is your institution handling the first time network password (generation and delivery) related tasks
- How/why you are out of compliance if you have information like DoB as first time/one time use default password

Thank you in advance for your time and reply.


Tarun Trivedi

IT Security Engineer
Waubonsee Community College
Route 47 at Waubonsee Drive
Sugar Grove, IL 60554
Ph#630-466-5744
e-mail: ttrivedi () waubonsee edu<mailto:ttrivedi () waubonsee edu>
web site: www.waubonsee.edu<http://www.waubonsee.edu>

CONFIDENTIALITY NOTE: This message, including any attachment(s), is intended only for the use of the individual or 
entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure 
under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible 
for delivery of the message to the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is prohibited. If you have received this message in error, please notify the Technical 
Assistance Center immediately by telephone at 630-466-4357 and then delete the message from your system. Thank you.