Re: inital passwords for students

[David Curry <david.curry () NEWSCHOOL EDU>]

In the past, we set students' initial passwords to date of birth, and the
relevant email notifying them that their account had been created told them
the correct format (yymmdd or whatever). We're moving away from this
however, as it's never been terribly secure, and with the way students
share personal information on Facebook and whatever, it's even less so
today.

Our new approach is to set initial passwords to randomly generated strings
of characters that meet our password complexity requirements. These strings
are not saved, and are never given to anyone. Instead, the email notifying
students that their account has been created directs them to our password
reset page, where they are able to choose their own password after
providing enough information to verify their identity.

We require passwords to be changed twice a year (180 days).

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 9:33 AM, Yost, Davis <yost () northwood edu> wrote:

> Group,
>
>
>
> Looking for guidance on emailing initial passwords to students, dose
> anyone do this?  What do you use for the initial password?  How often do
> you require students to change there password?
>
>
>
>
>
> Thank you,
>
>
>
> Davis Yost
>
> Associate Director of Security and Networks
>
> Northwood University
>
> yost () northwood edu
>
> 989.837.4185 office
>
> 989.859.7761 cell