Educause Security Discussion mailing list archives
Re: default password
From: Mark Reboli <mreboli () MISERICORDIA EDU>
Date: Thu, 1 Sep 2016 14:57:07 +0000
First thank you all, Second, Brad.. I must have tried to right the question 5 times (each time going would I even answer this) but had to get it out lol Please correct me where I am wrong but I believe this is the summary of the answers: Summation of what I received: · A random generator is utilized to create the default password. Users are then forced via a self-service reset to change their password to something only they know. · Others utilize a self-service password that the user resets by answering questions bases on certain pieces of information that had previously been communicated with the university to confirm identity. This then allows them to manually reset their password · Some are looking at an out-of-band one-time-passwords for verification (SMS, voice call to known number, email to personal account, etc.) o PortalGuard is one software package mentioned however it is not strongly recommended. · In all cases there are NIST concerns whether current or with the new draft. If anyone has anything else they can send me (here or personally since they might not want to post) I would be very appreciative as I try to move forward. Thank you all again M [Description: MU Arches] Mark Reboli Network/Telecom/IT Seciurity Manager Misericordia University (570) 674-6753 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Thursday, September 01, 2016 9:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] default password Cris, we use a tool called PortalGuard - we are a version behind, and it's okay (Not a rousing endorsement, is it?) there are a couple of features that I would like to see (including the ability to use groups better) but like I said, we are also a version behind, and need to get updated in my copious amounts of spare time. Frank On Thu, Sep 1, 2016 at 8:49 AM, Cris Harshman <cristiforbharshman () abtech edu<mailto:cristiforbharshman () abtech edu>> wrote: Thanks for the information, this is exactly the method we’d like to use! Frank, and others that use a similar workflow for your default passwords (enroll without knowing what the password is, then reset password), what software or service do you use for your password reset tool? We’re also working on exactly what pieces of information to use for identity verification (particularly trying to avoid using any information we send in our notifications), but I won’t ask that in an open, archived listserv. :) Thanks for asking the question Mark - I appreciate it! Take care, Cris ---------------------------------- Cris Harshman Director, Technology Services Holly Building, 115 A-B Tech Community College 340 Victoria Road Asheville, N.C. 28801 Office: (828) 398-7304<tel:%28828%29%20398-7304> Cell: (828) 337-5302<tel:%28828%29%20337-5302> charshman () abtech edu<mailto:charshman () abtech edu> A-B Tech's Vision: Locally Committed • Regionally Dynamic • World-Class Focused On Sep 1, 2016, at 8:36 AM, Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () husson edu>> wrote: Valdis, We don't inform them of the initial password's value. When they go in for a self-service password reset they use certain pieces of information that had previously been communicated with us to confirm identity. This then allows them to manually reset their password. It's not a perfect solution, given that some of the information can be found on social media, we are looking at out-of-band one-time-passwords for verification (SMS, voice call to known number, email to personal account, etc.) but there are concerns about those also (see recent NIST draft suggestions) which makes this whole conversation more... interesting... Frank On Wed, Aug 31, 2016 at 4:58 PM, Valdis Kletnieks <Valdis.Kletnieks () vt edu<mailto:Valdis.Kletnieks () vt edu>> wrote: On Wed, 31 Aug 2016 08:14:03 -0400, Frank Barton said:
We create random passwords that are not shared with anybody, Users then use a self-service reset to set their own password
What method do people use to notify users of a random initial password's value? -- Frank Barton ACMT IT Systems Administrator Husson University -- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- default password Mark Reboli (Aug 30)
- Re: default password Frank Barton (Aug 31)
- Re: default password Charles Curtis (Aug 31)
- Re: default password Valdis Kletnieks (Aug 31)
- Re: default password Frank Barton (Sep 01)
- Person has Retired: Re: [SECURITY] default password John Kilgore (Sep 01)
- Re: default password Cris Harshman (Sep 01)
- Re: default password Frank Barton (Sep 01)
- Re: default password Mark Reboli (Sep 01)
- Re: default password Frank Barton (Aug 31)
- <Possible follow-ups>
- Re: default password Boyd, Daniel (Sep 02)