Re: First time/one time use default password

[Tim Doty <tdoty () MST EDU>]

On Mon, 2011-11-07 at 14:28 -0600, Tarun Trivedi wrote:
> Our institution currently for new students assigns a unique Student ID
> Number, which is also their Login ID for the institution's computer
> network. For this Student ID first time/one time use default password
> is their Date of Birth. The new student at their first network login
> is prompted to change their one time default password.

Egads. When I was a student twenty years ago that was a system the
university I attended used. Now, times have changed so this isn't 100%
applicable, but I don't think it is surprising how susceptible this is
to social engineering and subsequent abuse.

One of the issues at the time was all students had a computer account,
but very few other than comp sci's actually used them. So an
enterprising student could have quite a few accounts without the owners
noticing. Nowadays a mitigating factor is the necessity for all students
to use their account.
 
> Keeping in mind the authentication guidance provided under FERPA (34
> CFR Part 99, from the page 74848 following excerpts:  "The use of
> widely available information to authenticate identity, such as the
> recipient’s name, date of birth, SSN or student ID number, is not
> considered reasonable under the regulations.")

I'd agree with that...
 
> I would appreciate your input with following:
>  
> - What are the risks associated with having widely available
> information like DoB as a default one time password

Its like any non-random default password, it isn't a good idea. It isn't
a matter of "is it abused" but rather "how much".

> - What is the probability of having a breach due to initial password
> that is comprised of widely available information such as DoB 

Probability is the intersection of ease and motivation. You make it very
easy then all it takes is "for giggles" motivation (random occurrences).
If there is something of worth the probability goes up very quickly
given how easy it is.

> - What is the worst case if breach related to this occurs (PII
> compromise, fines, etc.?)

That is too open ended a question and depends on particulars of your
environment. But I would be unsurprised if how seriously the institution
took security (using DOB for an initial password) played a role in
determining fines...

> - What is your institution have in place for a first time one time
> use/default password process/procedure

The user is provided (via snail mail and I believe external email) with
a randomly generated one time password. They can also do the equivalent
of a self-service password reset (which has all the usual associated
risks).

> - How is your institution handling the first time network password
> (generation and delivery) related tasks

Admissions office, I believe. Probably tied in to peoplesoft, but I
don't deal with that process.

Tim Doty