Educause Security Discussion mailing list archives

Re: default password

From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Fri, 2 Sep 2016 12:13:42 +0000

We use a product called ReACT to allow new users (and current users) to reset their Active Directory and Office365 
passwords, and unlock their Active Directory account if it gets locked out.

We generate a random initial password that they don't receive or need to know (and we don't either).  When they come to 
orientation, they have their information packet with their new student ID number on it.  They must have a valid account 
in the system, know their email user name and have the correct ID number to start the new account setup/password reset 
process.  They must also enter their birthdate and it must match the one already in the system.

The initial wizard requires them to create four security questions, and optionally provide an alternate email address 
and/or an SMS address to receive a password reset code in the future.  The last step of the wizard is to create their 
new password and reset it.

All responses from the user within the setup wizard are dotted out, so support staff can guide them through the process 
over their shoulder without compromising the user's credentials (as long as they don't glance at the keyboard, but this 
is a staff/process control, not a technological control.

Subsequent uses of the password reset system will require them to either answer the correct security questions, or have 
access to the alternate email/SMS address.

It works fairly well, and is reasonably secure since the only place they can get their student ID before they arrive 
for orientation is within our student portal which uses separate credentials, handled in an entirely different manner.

Hope this helps,

Dan


Daniel H. Boyd (94C)
Senior Network Architect
Network Operations
Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY 
automatic digest system
Sent: Friday, September 02, 2016 12:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: SECURITY Digest - 31 Aug 2016 to 1 Sep 2016 (#2016-140)

[LISTSERV mailing list manager]<http://www.lsoft.com>

[LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=SECURITY>




SECURITY Digest - 31 Aug 2016 to 1 Sep 2016 (#2016-140)
Table of contents:

  *   default password (5)
  *   Person has Retired: Re: [SECURITY] default password
  *   HEISC Quarterly Update, September 2016

  1.  default password
     *   Re: default password<cid:23112@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>>
     *   Re: default password<cid:23114@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Cris Harshman <cristiforbharshman () ABTECH EDU<mailto:cristiforbharshman () ABTECH EDU>>
     *   Re: default password<cid:23115@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>>
     *   Re: default password<cid:23117@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Mark Reboli <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>>
     *   Re: default password<cid:23118@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Steven Blanc <sblanc () BOWDOIN EDU<mailto:sblanc () BOWDOIN EDU>>
  2.  Person has Retired: Re: [SECURITY] default password
     *   Person has Retired: Re: [SECURITY] default password<cid:23113@LISTSERV.EDUCAUSE.EDU> (09/01)
From: John Kilgore <jkilgore () OTS UTSYSTEM EDU<mailto:jkilgore () OTS UTSYSTEM EDU>>
  3.  HEISC Quarterly Update, September 2016
     *   HEISC Quarterly Update, September 2016<cid:23116@LISTSERV.EDUCAUSE.EDU> (09/01)
From: Valerie Vogel <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>>




Browse the SECURITY online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=SECURITY>


[Anti-Virus 
Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS&host=LISTSERV.EDUCAUSE.EDU&wa=http://listserv.educause.edu/scripts/wa.exe>[Powered
 by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp>

Current thread:

default password Mark Reboli (Aug 30)
- Re: default password Frank Barton (Aug 31)
  - Re: default password Charles Curtis (Aug 31)
  - Re: default password Valdis Kletnieks (Aug 31)
    - Re: default password Frank Barton (Sep 01)
    - Person has Retired: Re: [SECURITY] default password John Kilgore (Sep 01)
    - Re: default password Cris Harshman (Sep 01)
    - Re: default password Frank Barton (Sep 01)
    - Re: default password Mark Reboli (Sep 01)
- Re: default password Steven Blanc (Sep 01)
- <Possible follow-ups>
- Re: default password Boyd, Daniel (Sep 02)