Re: inital passwords for students

["McLaughlin, Bryan S." <bmclaughlin () CREIGHTON EDU>]

At Creighton University we have a home grown application that creates a one-time password (OTP) for all new AD 
accounts.  Students receive their OTP from the admissions process, faculty and staff receive their OTP from their 
hiring manager.  All individuals use their OTP and date of birth to setup a security profile (security questions and 
answers along with an alternate email or text capable number) and then they set their AD password.  AD password live 
for 180 days.  The security profile then ties to a password self-service tool that allow users to reset forgotten 
password through security questions and a verification code that is sent to the alternative email or text device.  We 
never subsequently change a users password if they cannot use the self-service portal (forgot the answers to their 
security questions, etc.), we instead provide a new OTP (following verification of identity) so a new security profile 
can be created.

We have found the process to work well and password calls to the service desk have declined.

Bryan McLaughlin
Information Security Officer
Creighton University
bmclaughlin () creighton edu<mailto:bmclaughlin () creighton edu>
402-280-2386

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Yost, 
Davis
Sent: Friday, December 6, 2013 8:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] inital passwords for students

Group,

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial 
password?  How often do you require students to change there password?


Thank you,

Davis Yost
Associate Director of Security and Networks
Northwood University
yost () northwood edu<mailto:yost () northwood edu>
989.837.4185 office
989.859.7761 cell