Educause Security Discussion mailing list archives
Re: Initial Passwords
From: Brenda B Gombosky <brenda.gombosky () LOUISVILLE EDU>
Date: Wed, 1 Apr 2009 15:53:50 -0400
Ronald, we have a fully automated Identity Management System but even at that you have to have a system that can give out the initial password - and for this you need something the user KNOWS - Our system is as follows and does change on occasion: All users are directed to the University Portal (Either during a mailing or information given at orientations (faculty/staff/student) - There is a link that is for "First Time Users" and instructiions are given there much like: Your initial password will be the first two letters of your first name, followed by the first two letters of your last name, followed by !, followed by the last four digits of your student id. For Jane Smith, 1234567, her password is jasm!4567. Hope that helps! Brenda B. Gombosky, CISSP, CGEIT, CISM, CHSP Director, Enterprise Security Information Technology University of Louisville Miller IT Center, Room 109 Louisville, KY 40292 (502)852-5037 (502)419-6689
"King, Ronald A." <raking () NSU EDU> 4/1/2009 2:41 PM >>>
Gary, thanks for the feedback. To all, Our dilemma is this: Our new users (or their manger) fills out a form requesting accesses to different systems based on their function here. When we get the form and all the appropriate signatures, we create the account and password. It usually takes us a day or two at the most. Our policies do not permit us to distribute this via non-secure means such as email, and, the user is waiting patiently to be informed, but, we are kind of in a catch 22 situation; I can’t email the info to you so you can access your email to see that I have created your account, and waiting for the user to contact us (provided they know who to contact) isn’t part of our customer service practices. So, how is it other institutions are handling this? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu From:The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 1:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords Or, if you meant how do you deliver the account to the individual, that's a matter of whatever your policies are. Since the password is useful for one purpose only (to allow itself to be reset) you can deliver the ID and password to the individual on a piece of paper, depending on your process. Worst case is an interloper grabs it and chooses their own password in advance of the intended accountholder, in which case the latter person will be unable to do the same, and will call you, so the interception won't tend to remain undetected. From:The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 1:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords You configure the account that way upon its creation. In our case, we use Active Directory and Kerberos, so it's possible for the admin to set the password's status to expired, and our password-change system recognizes that and acts accordingly. From:The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords How does one find or get the pre-expired password? Thanks for the response. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu From:The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSER V.EDUCAUSE.EDU] On Behalf Of Gary Dobbins Sent: Wednesday, April 01, 2009 12:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Passwords A good practice is to distribute pre-expired passwords so that the person has to immediately change it by visiting your password-change page and select a new password. This way, their password becomes a secret known only to the accountholder. From:The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, April 01, 2009 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Initial Passwords I would like to inquire as to what other institutions have in place for assigning and distributing passwords for new users in a secure manner? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu
Current thread:
- Initial Passwords King, Ronald A. (Apr 01)
- <Possible follow-ups>
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords Gary Dobbins (Apr 01)
- Re: Initial Passwords King, Ronald A. (Apr 01)
- Re: Initial Passwords Bristol, Gary L. (Apr 01)
- Re: Initial Passwords Dexter Caldwell (Apr 01)
- Re: Initial Passwords Brenda B Gombosky (Apr 01)
- Re: Initial Passwords Schumacher, Adam J (Apr 01)
- Re: Initial Passwords Eric Case (Apr 01)