Educause Security Discussion mailing list archives
Re: Initial Passwords
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 1 Apr 2009 13:46:26 -0400
Or, if you meant how do you deliver the account to the individual, that's a matter of whatever your policies are. Since the password is useful for one purpose only (to allow itself to be reset) you can deliver the ID and password to the individual on a piece of paper, depending on your process. Worst case is an interloper grabs it and chooses their own password in advance of the intended accountholder, in which case the latter person will be unable to do the same, and will call you, so the interception won't tend to remain undetected. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords You configure the account that way upon its creation. In our case, we use Active Directory and Kerberos, so it's possible for the admin to set the password's status to expired, and our password-change system recognizes that and acts accordingly. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords How does one find or get the pre-expired password? Thanks for the response. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 12:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords A good practice is to distribute pre-expired passwords so that the person has to immediately change it by visiting your password-change page and select a new password. This way, their password becomes a secret known only to the accountholder. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Initial Passwords I would like to inquire as to what other institutions have in place for assigning and distributing passwords for new users in a secure manner? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu
Attachment:
smime.p7s
Description:
Current thread:
- Initial Passwords King, Ronald A. (Apr 01)
- <Possible follow-ups>
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Bristol, Gary L. (Apr 01)
- Re: Initial Passwords Dexter Caldwell (Apr 01)
- Re: Initial Passwords Brenda B Gombosky (Apr 01)
- Re: Initial Passwords Schumacher, Adam J (Apr 01)
- Re: Initial Passwords Eric Case (Apr 01)