Educause Security Discussion mailing list archives
Re: Password Expatriation notification
From: James Farr '05 <jfarr () UTICA EDU>
Date: Thu, 19 Aug 2010 10:01:16 -0400
James, We are looking at removing the link for future notifications. I think that will help. I tried to implement a policy campus wide that said we would never include links in an email message, but that did not work. At least I may be able to control what is coming out of the department I belong to. How often do you send out the reminder messages? -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Sent: Thursday, August 19, 2010 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification We also send our users messages like this. However I'm concerned that it would take very little effort to copy the content, spoof the from address and href the links so they look genuine but take them to a random web server which is setup with a copy of our real password management system. For this reason I think we shouldn't provide links in emails that ask a user to login to anything, but should advise they visit our main web page (i.e. type it in themselves) and we give them a link off that. We can then also tag on to "we never ask for your password" that "we never link to pages that ask for your password". Has anyone else tackled this particularly? Cheers James
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn Sent: Tuesday, August 17, 2010 10:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification And we also send out an email notice 14 days before expiration, and again more frequently as the expiration approaches. We have a single enterprise credential for authentication to many systems, including email. We try to make our notification not-phish-like but still get a few inquiries as to the validity of the message. I usually congratulate those paranoid souls. At least it's better than believing everything. ;-) Our message says: Firstname Lastname [UniversityID#], Our system indicates that you have not changed your password since [Month day, year]. Please take a few minutes to change your password and review your challenge questions by going to http://password.usu.edu before [date 6 months later]. If you do not change your password by [the latter date], you may experience interruption of service on Utah State University systems. You will still be able to log in at http://id.usu.edu and make your password change after that date. You may also be temporarily receiving this message: 1) If you no longer attend Utah State University: You may not be interested in maintaining your password with us. Just ignore these messages. Once your password has expired these reminder messages will terminate. If you ever need access again you can update your password at http://id.usu.edu or contact the Service Desk. 2) If you have never attended Utah State University: We may have assigned you an account in conjunction with a high school concurrent enrollment course, or even as a result of receiving your SAT/ACT scores from high school. Once your password has expired these reminder messages will terminate. The Information Technology Service Desk can assist you with any questions you might have. Contact us at: Phone: 797-HELP (4357) Toll Free: 877-878-8325 Email: servicedesk () usu edu<mailto:servicedesk () usu edu> Footprints.usu.edu<http://Footprints.usu.edu> (Issue Tracking System) [end of message] ____________________________ Bob Bayn (435)797-2396 Security Team coordinator http://tinyurl.com/I-Need-a-Kidney Office of Information Technology at Utah State University
Current thread:
- Re: Password Expatriation notification, (continued)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification charlie derr (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification James Farr '05 (Aug 19)
- Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification Morrow Long (Aug 19)
- Re: Password Expatriation notification Allison Dolan (Aug 19)
- Re: Password Expatriation notification Ullman, Catherine (Aug 19)
- Re: Password Expatriation notification James Farr '05 (Aug 19)
- Re: Password Expatriation notification Russell Fulton (Aug 20)
- Re: Password Expatriation notification Dergenski, Todd A. (Aug 23)
- Re: Password Expatriation notification Ozzie Paez (Aug 23)
- Back on topic.... Re: [SECURITY] University credentials used by third parties Flynn, Gary - flynngn (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Joel Rosenblatt (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Guy Pace (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties David L. Wasley (Aug 24)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)