Re: Password Expatriation notification

["Dergenski, Todd A." <TDergens () ODU EDU>]

This very topic came up in a meeting this morning.  Our solution is multiple avenues of notification.  We send mails 
(30, 14 and 7 days out) and also have the lab machines prompt a notification under 30.  Additionally, we will be 
modifying our single sign on to display a notification page under 30 and do a redirect under 3.  Messages in our portal 
are also planned, but are hold until we can come up with more content.  They don't like a dedicated box that is empty 
most of the time.

I would recommend to find a service that everyone logs into regularly and see if you can get the message there. 

Todd Dergenski
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA

(757) 683-4301
tdergens () odu edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
Fulton
Sent: Saturday, August 21, 2010 1:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expatriation notification

On 18/08/2010, at 6:44 AM, James Farr '05 wrote:

> We recently implemented a policy where the users receives an email 30 days
> before the password is set to expire.   Sure enough people thought this was
> a phishing attempt.   However, since we have some off campus users that may
> never step foot on campus email seemed to be the only way to notify
> everyone.



I have had this problem notifying people about possibly compromised credentials too.

After a bit of toing and froing we managed to convince the keepers of the university home page to add a password change 
link to the list of quick links on www.auckland.ac.nz.   Now we can tell folk how to change password easily without 
giving any urls.  We will use the same technique when we start expiring passwords later this year.

Russell