Educause Security Discussion mailing list archives
Re: inital passwords for students
From: Don Faulkner <donf () UARK EDU>
Date: Tue, 10 Dec 2013 15:32:41 -0600
We do not use a commercial password management application. We've build our own for a variety of legacy reasons. There may be changes to this in the future, as we develop a more comprehensive identity and access management (IAM) strategy. Accounts begin life in a "ready to activate" state, and are unusable until activated. To activate a new account, we require the user's university ID number and their date of birth. We send the student's university ID number in their welcome packet, sent by US mail to their "permanent address." We remind users to change their password when it reaches an age of 90 days. We give the user 30 days to comply, with daily reminder emails sent the last 10 days. We the account when the password age exceeds 120 days by resetting the password to a random value. We have a separate mechanism to isolate misbehaving accounts. Users may recover their account access through our "Forgot Password" process. This works for scrambled/locked accounts as well as a regular forgotten password. To recover an account, the user must provide their username, university ID number, date of birth, and the answer to their security question. If they've not set a security question (because it's not yet required), the user must visit the help desk or a lab and provide photo ID. The help desk then provides an "authorization code" which becomes the user's security question until used. Off-campus users needing password reset must be vouched for by a supervisor, department head, or similar authority, before a similar procedure is followed. Our password guidelines <http://its.uark.edu/passwords.html> require 8-32 characters with a minimum of 1 character from three of four "food groups": uppercase, lowercase, numbers, and specials, along with a few other requirements. Our process is undergoing some changes in preparation for inclusion in a broader IAM initiative. Any changes will be based on the guidance in NIST SP 800-63. One problem we've run into several times is the circumstance surrounding deceased users. We've had to deal with the situation of allowing next of kin or executors access to the email or file accounts of deceased students and staff. Our current procedure is to treat the access request as a remote user forgotten password situation with additional requirements. We use the Supervisor/Department Head approval process and paperwork, and request a copy of a death certificate. With that information in hand, the next of kin or executor visits a lab or help desk and is allowed to reset the password for the account. We also agree with the individual on a time period of access, usually somewhere between 2 days and a week, after which access is revoked. -- Don Faulkner, CISSP | CISO <http://its.uark.edu/> at the University of Arkansas <http://www.uark.edu/> contact>> donf () uark edu <mailto:donf () uark edu> | +1 (479) 575-2901 connect>> uarkITS on Facebook <http://www.facebook.com/uarkITS> | @uaits <http://twitter.com/uaits> | @dfaulkner <http://twitter.com/dfaulkner> On 12/06/2013 08:33 AM, Yost, Davis wrote:
Group, Looking for guidance on emailing initial passwords to students, dose anyone do this? What do you use for the initial password? How often do you require students to change there password? Thank you, Davis Yost Associate Director of Security and Networks Northwood University yost () northwood edu <mailto:yost () northwood edu> 989.837.4185 office 989.859.7761 cell
Current thread:
- Re: inital passwords for students, (continued)
- Re: inital passwords for students Stevens, Eric J. (Dec 06)
- Re: inital passwords for students David Curry (Dec 06)
- Re: inital passwords for students David Curry (Dec 06)
- Re: inital passwords for students Stevens, Eric J. (Dec 06)
- Re: inital passwords for students Yost, Davis (Dec 06)
- Re: inital passwords for students Nick Giacobe (Dec 06)
- Re: inital passwords for students Hugh Burley (Dec 06)
- Re: inital passwords for students Dan Schwartz (Dec 06)
- Re: inital passwords for students Jones, Mark B (Dec 06)
- Re: inital passwords for students Barron Hulver (Dec 06)
- Re: inital passwords for students McLaughlin, Bryan S. (Dec 06)
- Re: inital passwords for students Don Faulkner (Dec 10)