Educause Security Discussion mailing list archives

Re: default password

From: Cris Harshman <cristiforbharshman () ABTECH EDU>
Date: Thu, 1 Sep 2016 12:49:03 +0000

Thanks for the information, this is exactly the method we’d like to use!  Frank, and others that use a similar workflow 
for your default passwords (enroll without knowing what the password is, then reset password), what software or service 
do you use for your password reset tool?  We’re also working on exactly what pieces of information to use for identity 
verification (particularly trying to avoid using any information we send in our notifications), but I won’t ask that in 
an open, archived listserv.  :)

Thanks for asking the question Mark - I appreciate it!

Take care,
Cris

----------------------------------
Cris Harshman
Director, Technology Services
Holly Building, 115

A-B Tech Community College
340 Victoria Road
Asheville, N.C. 28801

Office: (828) 398-7304
Cell: (828) 337-5302
charshman () abtech edu<mailto:charshman () abtech edu>

A-B Tech's Vision: Locally Committed • Regionally Dynamic • World-Class Focused



On Sep 1, 2016, at 8:36 AM, Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () husson edu>> wrote:

Valdis, We don't inform them of the initial password's value. When they go in for a self-service password reset they 
use certain pieces of information that had previously been communicated with us to confirm identity. This then allows 
them to manually reset their password.

It's not a perfect solution, given that some of the information can be found on social media, we are looking at 
out-of-band one-time-passwords for verification (SMS, voice call to known number, email to personal account, etc.) but 
there are concerns about those also (see recent NIST draft suggestions) which makes this whole conversation more... 
interesting...

Frank

On Wed, Aug 31, 2016 at 4:58 PM, Valdis Kletnieks <Valdis.Kletnieks () vt edu<mailto:Valdis.Kletnieks () vt edu>> wrote:
On Wed, 31 Aug 2016 08:14:03 -0400, Frank Barton said:

We create random passwords that are not shared with anybody, Users then use
a self-service reset to set their own password


What method do people use to notify users of a random initial password's value?




--
Frank Barton
ACMT
IT Systems Administrator
Husson University

Current thread:

default password Mark Reboli (Aug 30)
- Re: default password Frank Barton (Aug 31)
  - Re: default password Charles Curtis (Aug 31)
  - Re: default password Valdis Kletnieks (Aug 31)
    - Re: default password Frank Barton (Sep 01)
    - Person has Retired: Re: [SECURITY] default password John Kilgore (Sep 01)
    - Re: default password Cris Harshman (Sep 01)
    - Re: default password Frank Barton (Sep 01)
    - Re: default password Mark Reboli (Sep 01)
- Re: default password Steven Blanc (Sep 01)
- <Possible follow-ups>
- Re: default password Boyd, Daniel (Sep 02)