Educause Security Discussion mailing list archives
Re: First time/one time use default password
From: "Miller, Richard H" <rick () BCM EDU>
Date: Mon, 7 Nov 2011 15:00:42 -0600
There is a risk in doing this since the DOB may be more available especially given social media and the tendency of users to be a bit more open in what they share there. So - What are the risks associated with having widely available information like DoB as a default one time password – This is probably a higher risk of people being able to find it out. Most people tend to post their DOB on their facebook/whatever pages - What is the probability of having a breach due to initial password that is comprised of widely available information such as DoB – This is probably a bit higher since anyone has an easier time since half of the required elements are more likely know. Part of the answer would be how easy is it to determine the student ID for a particular student. If the ID is not easily determined then the probability is lower. - What is the worst case if breach related to this occurs (PII compromise, fines, etc.?) This depends on what type of provisioning you do for a new student. The worst case would depend on what they can do out of the box. - What is your institution have in place for a first time one time use/default password process/procedure We generate a random string that can only be used once and expires within a very short period of time. The user must change their password when the log in using it - How is your institution handling the first time network password (generation and delivery) related tasks The password is put onto hard copy and given to them at orientation - How/why you are out of compliance if you have information like DoB as first time/one time use default password Hope this helps Rick Richard H. Miller, CISSP, CCSE+ Information Security Manager Information Technology Security and Compliance Information Technology - Baylor College of Medicine From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tarun Trivedi Sent: Monday, November 07, 2011 2:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] First time/one time use default password Our institution currently for new students assigns a unique Student ID Number, which is also their Login ID for the institution's computer network. For this Student ID first time/one time use default password is their Date of Birth. The new student at their first network login is prompted to change their one time default password. Keeping in mind the authentication guidance provided under FERPA (34 CFR Part 99, from the page 74848 following excerpts: "The use of widely available information to authenticate identity, such as the recipient’s name, date of birth, SSN or student ID number, is not considered reasonable under the regulations.") I would appreciate your input with following: - What are the risks associated with having widely available information like DoB as a default one time password - What is the probability of having a breach due to initial password that is comprised of widely available information such as DoB - What is the worst case if breach related to this occurs (PII compromise, fines, etc.?) - What is your institution have in place for a first time one time use/default password process/procedure - How is your institution handling the first time network password (generation and delivery) related tasks - How/why you are out of compliance if you have information like DoB as first time/one time use default password Thank you in advance for your time and reply. Tarun Trivedi IT Security Engineer Waubonsee Community College Route 47 at Waubonsee Drive Sugar Grove, IL 60554 Ph#630-466-5744 e-mail: ttrivedi () waubonsee edu<mailto:ttrivedi () waubonsee edu> web site: www.waubonsee.edu<http://www.waubonsee.edu> CONFIDENTIALITY NOTE: This message, including any attachment(s), is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivery of the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this message in error, please notify the Technical Assistance Center immediately by telephone at 630-466-4357 and then delete the message from your system. Thank you.
Current thread:
- First time/one time use default password Tarun Trivedi (Nov 07)
- Re: First time/one time use default password Clementz, Todd (Nov 07)
- Re: First time/one time use default password Miller, Richard H (Nov 07)
- Re: First time/one time use default password Roger A Safian (Nov 07)
- Re: First time/one time use default password Solem, Vik P. (Nov 07)
- Re: First time/one time use default password Tim Doty (Nov 07)
- Re: First time/one time use default password Gary Flynn (Nov 08)