Re: Initial Passwords

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

We are in the process of moving to a new process whereby new accounts are
generated with a random password and set to disabled.  The new employee gets
a OTP that is only good for the account creation system and logs on with
that, DOB, and userid to create a profile of security questions and set
his/her own password.  The account is then enabled and set with the password
the employee has chosen.

I believe the OTP will be communicated to the employee along with their
userid via paper that they will be handed to them by their supervisor.  This
isn't seen as too much of a risk because the info is done in-person and the
password can only be used for the one process.

Of course, you'd need to work with your HR department to get them to
integrate into your processes...


On 4/1/09 1:41 PM, "King, Ronald A." <raking () NSU EDU> wrote:

> Gary, thanks for the feedback.
>
>
>
> To all,
>
> Our dilemma is this:
>
>
>
> Our new users (or their manger) fills out a form requesting accesses to
> different systems based on their function here.  When we get the form and
> all the appropriate signatures, we create the account and password.  It
> usually takes us a day or two at the most.  Our policies do not permit us to
> distribute this via non-secure means such as email, and, the user is waiting
> patiently to be informed, but, we are kind of in a catch 22 situation; I
> can't email the info to you so you can access your email to see that I have
> created your account, and waiting for the user to contact us (provided they
> know who to contact) isn't part of our customer service practices.
>
>
>
> So, how is it other institutions are handling this?
>
>
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research
>
> Suite 401
>
> 700 Park Ave.
>
> Norfolk, Virginia  23504
>
> Phone:  757-823-3918
>
> Email: raking () nsu edu
>
> http://security.nsu.edu
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 1:46 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
> Or, if you meant how do you deliver the account to the individual, that's a
> matter of whatever your policies are.  Since the password is useful for one
> purpose only (to allow itself to be reset) you can deliver the ID and
> password to the individual on a piece of paper, depending on your process.
> Worst case is an interloper grabs it and chooses their own password in
> advance of the intended accountholder, in which case the latter person will
> be unable to do the same, and will call you, so the interception won't tend
> to remain undetected.
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 1:43 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
> You configure the account that way upon its creation.   In our case, we use
> Active Directory and Kerberos, so it's possible for the admin to set the
> password's status to expired, and our password-change system recognizes that
> and acts accordingly.
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> Sent: Wednesday, April 01, 2009 1:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
> How does one find or get the pre-expired password?
>
>
>
> Thanks for the response.
>
>
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research
>
> Suite 401
>
> 700 Park Ave.
>
> Norfolk, Virginia  23504
>
> Phone:  757-823-3918
>
> Email: raking () nsu edu
>
> http://security.nsu.edu
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 12:51 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
> A good practice is to distribute pre-expired passwords so that the person
> has to immediately change it by visiting your password-change page and
> select a new password.  This way, their password becomes a secret known only
> to the accountholder.
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> Sent: Wednesday, April 01, 2009 12:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Initial Passwords
>
>
>
> I would like to inquire as to what other institutions have in place for
> assigning and distributing passwords for new users in a secure manner?
>
>
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research
>
> Suite 401
>
> 700 Park Ave.
>
> Norfolk, Virginia  23504
>
> Phone:  757-823-3918
>
> Email: raking () nsu edu
>
> http://security.nsu.edu

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: