Educause Security Discussion mailing list archives

First time/one time use default password

From: Tarun Trivedi <ttrivedi () WAUBONSEE EDU>
Date: Mon, 7 Nov 2011 14:28:47 -0600

Our institution currently for new students assigns a unique Student ID
Number, which is also their Login ID for the institution's computer
network. For this Student ID first time/one time use default password is
their Date of Birth. The new student at their first network login is
prompted to change their one time default password.
 
Keeping in mind the authentication guidance provided under FERPA (34
CFR Part 99, from the page 74848 following excerpts:  "The use of widely
available information to authenticate identity, such as the recipient’s
name, date of birth, SSN or student ID number, is not considered
reasonable under the regulations.")
 
I would appreciate your input with following:
 
- What are the risks associated with having widely available
information like DoB as a default one time password
- What is the probability of having a breach due to initial password
that is comprised of widely available information such as DoB 
- What is the worst case if breach related to this occurs (PII
compromise, fines, etc.?)
- What is your institution have in place for a first time one time
use/default password process/procedure
- How is your institution handling the first time network password
(generation and delivery) related tasks
- How/why you are out of compliance if you have information like DoB as
first time/one time use default password
 
Thank you in advance for your time and reply.
 
 
Tarun Trivedi
 
IT Security Engineer
Waubonsee Community College
Route 47 at Waubonsee Drive
Sugar Grove, IL 60554
Ph#630-466-5744
e-mail: ttrivedi () waubonsee edu
web site: www.waubonsee.edu
 

CONFIDENTIALITY NOTE: This message, including any attachment(s), is
intended only for the use of the individual or entity to which it is
addressed and may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If the reader of this
message is not the intended recipient, or the employee or agent
responsible for delivery of the message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of
this communication is prohibited. If you have received this message in
error, please notify the Technical Assistance Center immediately by
telephone at 630-466-4357 and then delete the message from your system.
Thank you.

Current thread:

First time/one time use default password Tarun Trivedi (Nov 07)
- Re: First time/one time use default password Clementz, Todd (Nov 07)
- Re: First time/one time use default password Miller, Richard H (Nov 07)
- Re: First time/one time use default password Roger A Safian (Nov 07)
  - Re: First time/one time use default password Solem, Vik P. (Nov 07)
- Re: First time/one time use default password Tim Doty (Nov 07)
  - Re: First time/one time use default password Gary Flynn (Nov 08)