Educause Security Discussion mailing list archives
Re: default password
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Fri, 2 Sep 2016 12:13:42 +0000
We use a product called ReACT to allow new users (and current users) to reset their Active Directory and Office365 passwords, and unlock their Active Directory account if it gets locked out. We generate a random initial password that they don't receive or need to know (and we don't either). When they come to orientation, they have their information packet with their new student ID number on it. They must have a valid account in the system, know their email user name and have the correct ID number to start the new account setup/password reset process. They must also enter their birthdate and it must match the one already in the system. The initial wizard requires them to create four security questions, and optionally provide an alternate email address and/or an SMS address to receive a password reset code in the future. The last step of the wizard is to create their new password and reset it. All responses from the user within the setup wizard are dotted out, so support staff can guide them through the process over their shoulder without compromising the user's credentials (as long as they don't glance at the keyboard, but this is a staff/process control, not a technological control. Subsequent uses of the password reset system will require them to either answer the correct security questions, or have access to the alternate email/SMS address. It works fairly well, and is reasonably secure since the only place they can get their student ID before they arrive for orientation is within our student portal which uses separate credentials, handled in an entirely different manner. Hope this helps, Dan Daniel H. Boyd (94C) Senior Network Architect Network Operations Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Friday, September 02, 2016 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 31 Aug 2016 to 1 Sep 2016 (#2016-140) [LISTSERV mailing list manager]<http://www.lsoft.com> [LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=SECURITY> SECURITY Digest - 31 Aug 2016 to 1 Sep 2016 (#2016-140) Table of contents: * default password (5) * Person has Retired: Re: [SECURITY] default password * HEISC Quarterly Update, September 2016 1. default password * Re: default password<cid:23112@LISTSERV.EDUCAUSE.EDU> (09/01) From: Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> * Re: default password<cid:23114@LISTSERV.EDUCAUSE.EDU> (09/01) From: Cris Harshman <cristiforbharshman () ABTECH EDU<mailto:cristiforbharshman () ABTECH EDU>> * Re: default password<cid:23115@LISTSERV.EDUCAUSE.EDU> (09/01) From: Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> * Re: default password<cid:23117@LISTSERV.EDUCAUSE.EDU> (09/01) From: Mark Reboli <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>> * Re: default password<cid:23118@LISTSERV.EDUCAUSE.EDU> (09/01) From: Steven Blanc <sblanc () BOWDOIN EDU<mailto:sblanc () BOWDOIN EDU>> 2. Person has Retired: Re: [SECURITY] default password * Person has Retired: Re: [SECURITY] default password<cid:23113@LISTSERV.EDUCAUSE.EDU> (09/01) From: John Kilgore <jkilgore () OTS UTSYSTEM EDU<mailto:jkilgore () OTS UTSYSTEM EDU>> 3. HEISC Quarterly Update, September 2016 * HEISC Quarterly Update, September 2016<cid:23116@LISTSERV.EDUCAUSE.EDU> (09/01) From: Valerie Vogel <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>> Browse the SECURITY online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=SECURITY> [Anti-Virus Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS&host=LISTSERV.EDUCAUSE.EDU&wa=http://listserv.educause.edu/scripts/wa.exe>[Powered by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp>
Current thread:
- default password Mark Reboli (Aug 30)
- Re: default password Frank Barton (Aug 31)
- Re: default password Charles Curtis (Aug 31)
- Re: default password Valdis Kletnieks (Aug 31)
- Re: default password Frank Barton (Sep 01)
- Person has Retired: Re: [SECURITY] default password John Kilgore (Sep 01)
- Re: default password Cris Harshman (Sep 01)
- Re: default password Frank Barton (Sep 01)
- Re: default password Mark Reboli (Sep 01)
- Re: default password Frank Barton (Aug 31)
- <Possible follow-ups>
- Re: default password Boyd, Daniel (Sep 02)