Re: inital passwords for students

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

We are planning to implement a process based on the guidance in NIST SP
800-63-2
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)

 

Where we would send the student a onetime use password reset link to an
email address of record that was supplied by the applicant during the
application process.

 

The main quote to refer to in the document is in Table 3 - Identity Proofing
Requirements by Assurance Level

 

"If personal information in records includes a telephone number or e-mail
address, the CSP issues credentials in a manner that confirms the ability of
the Applicant to receive telephone communications or text message at phone
number or e-mail address associated with the Applicant in records. Any
secret sent over an unprotected session shall be reset upon first use

and shall be valid for a maximum lifetime of seven days;"

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Yost, Davis
Sent: Friday, December 06, 2013 8:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] inital passwords for students

 

Group, 

 

Looking for guidance on emailing initial passwords to students, dose anyone
do this?  What do you use for the initial password?  How often do you
require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

 <mailto:yost () northwood edu> yost () northwood edu

989.837.4185 office

989.859.7761 cell

Attachment: smime.p7s
Description: