Educause Security Discussion mailing list archives
Re: Initial Passwords
From: "Bristol, Gary L." <gbristol () OU EDU>
Date: Wed, 1 Apr 2009 13:44:36 -0500
What we do here is contact the sponsor or Manager and inform them that the account has been created, what the username is and where the user needs to go too (URL) to setup their security questions and password. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 1:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords Gary, thanks for the feedback. To all, Our dilemma is this: Our new users (or their manger) fills out a form requesting accesses to different systems based on their function here. When we get the form and all the appropriate signatures, we create the account and password. It usually takes us a day or two at the most. Our policies do not permit us to distribute this via non-secure means such as email, and, the user is waiting patiently to be informed, but, we are kind of in a catch 22 situation; I can't email the info to you so you can access your email to see that I have created your account, and waiting for the user to contact us (provided they know who to contact) isn't part of our customer service practices. So, how is it other institutions are handling this? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 1:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords Or, if you meant how do you deliver the account to the individual, that's a matter of whatever your policies are. Since the password is useful for one purpose only (to allow itself to be reset) you can deliver the ID and password to the individual on a piece of paper, depending on your process. Worst case is an interloper grabs it and chooses their own password in advance of the intended accountholder, in which case the latter person will be unable to do the same, and will call you, so the interception won't tend to remain undetected. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords You configure the account that way upon its creation. In our case, we use Active Directory and Kerberos, so it's possible for the admin to set the password's status to expired, and our password-change system recognizes that and acts accordingly. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords How does one find or get the pre-expired password? Thanks for the response. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 12:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords A good practice is to distribute pre-expired passwords so that the person has to immediately change it by visiting your password-change page and select a new password. This way, their password becomes a secret known only to the accountholder. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Initial Passwords I would like to inquire as to what other institutions have in place for assigning and distributing passwords for new users in a secure manner? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu
Attachment:
smime.p7s
Description:
Current thread:
- Initial Passwords King, Ronald A. (Apr 01)
- <Possible follow-ups>
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Bristol, Gary L. (Apr 01)
- Re: Initial Passwords Dexter Caldwell (Apr 01)
- Re: Initial Passwords Brenda B Gombosky (Apr 01)
- Re: Initial Passwords Schumacher, Adam J (Apr 01)
- Re: Initial Passwords Eric Case (Apr 01)