Educause Security Discussion mailing list archives
Re: First time/one time use default password
From: Tim Doty <tdoty () MST EDU>
Date: Mon, 7 Nov 2011 15:01:25 -0600
On Mon, 2011-11-07 at 14:28 -0600, Tarun Trivedi wrote:
Our institution currently for new students assigns a unique Student ID Number, which is also their Login ID for the institution's computer network. For this Student ID first time/one time use default password is their Date of Birth. The new student at their first network login is prompted to change their one time default password.
Egads. When I was a student twenty years ago that was a system the university I attended used. Now, times have changed so this isn't 100% applicable, but I don't think it is surprising how susceptible this is to social engineering and subsequent abuse. One of the issues at the time was all students had a computer account, but very few other than comp sci's actually used them. So an enterprising student could have quite a few accounts without the owners noticing. Nowadays a mitigating factor is the necessity for all students to use their account.
Keeping in mind the authentication guidance provided under FERPA (34 CFR Part 99, from the page 74848 following excerpts: "The use of widely available information to authenticate identity, such as the recipient’s name, date of birth, SSN or student ID number, is not considered reasonable under the regulations.")
I'd agree with that...
I would appreciate your input with following: - What are the risks associated with having widely available information like DoB as a default one time password
Its like any non-random default password, it isn't a good idea. It isn't a matter of "is it abused" but rather "how much".
- What is the probability of having a breach due to initial password that is comprised of widely available information such as DoB
Probability is the intersection of ease and motivation. You make it very easy then all it takes is "for giggles" motivation (random occurrences). If there is something of worth the probability goes up very quickly given how easy it is.
- What is the worst case if breach related to this occurs (PII compromise, fines, etc.?)
That is too open ended a question and depends on particulars of your environment. But I would be unsurprised if how seriously the institution took security (using DOB for an initial password) played a role in determining fines...
- What is your institution have in place for a first time one time use/default password process/procedure
The user is provided (via snail mail and I believe external email) with a randomly generated one time password. They can also do the equivalent of a self-service password reset (which has all the usual associated risks).
- How is your institution handling the first time network password (generation and delivery) related tasks
Admissions office, I believe. Probably tied in to peoplesoft, but I don't deal with that process. Tim Doty
Current thread:
- First time/one time use default password Tarun Trivedi (Nov 07)
- Re: First time/one time use default password Clementz, Todd (Nov 07)
- Re: First time/one time use default password Miller, Richard H (Nov 07)
- Re: First time/one time use default password Roger A Safian (Nov 07)
- Re: First time/one time use default password Solem, Vik P. (Nov 07)
- Re: First time/one time use default password Tim Doty (Nov 07)
- Re: First time/one time use default password Gary Flynn (Nov 08)