Re: inital passwords for students

[David Curry <david.curry () NEWSCHOOL EDU>]

> Do you have a commercial password reset page?

No; for a variety of reasons we elected to go the home-grown route. It's a
single page with three functions: Look Up NetID, Change Password, and Reset
Password.

You can see the first part of it, at least, at https://account.newschool.edu

--Dave




--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 1:19 PM, David Curry <david.curry () newschool edu>wrote:

> > “providing enough information to verify their identity.”……   What
> information do you require?
>
> We require Student/Staff/Faculty ID number, NetID (username), Date of
> Birth, and, if the individual has ever been employed by the university,
> last four digits of SSN/TIN.
>
> --Dave
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu
>
>
>
> On Fri, Dec 6, 2013 at 10:07 AM, Stevens, Eric J. <STEVENEJ () uwec edu>wrote:
>
> >  “providing enough information to verify their identity.”……   What
> > information do you require?
> >
> >
> >
> >
> >
> > Thanks
> >
> > Eric
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> > SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Curry
> > *Sent:* Friday, December 6, 2013 9:04 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] inital passwords for students
> >
> >
> >
> > In the past, we set students' initial passwords to date of birth, and the
> > relevant email notifying them that their account had been created told them
> > the correct format (yymmdd or whatever). We're moving away from this
> > however, as it's never been terribly secure, and with the way students
> > share personal information on Facebook and whatever, it's even less so
> > today.
> >
> >
> >
> > Our new approach is to set initial passwords to randomly generated
> > strings of characters that meet our password complexity requirements. These
> > strings are not saved, and are never given to anyone. Instead, the email
> > notifying students that their account has been created directs them to our
> > password reset page, where they are able to choose their own password after
> > providing enough information to verify their identity.
> >
> >
> >
> > We require passwords to be changed twice a year (180 days).
> >
> >
> >
> > --Dave
> >
> >
> >
> >
> > --
> >
> > *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
> >
> > *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
> >
> > +1 212 229-5300 x4728 • david.curry () newschool edu
> >
> >
> >
> > On Fri, Dec 6, 2013 at 9:33 AM, Yost, Davis <yost () northwood edu> wrote:
> >
> >  Group,
> >
> >
> >
> > Looking for guidance on emailing initial passwords to students, dose
> > anyone do this?  What do you use for the initial password?  How often do
> > you require students to change there password?
> >
> >
> >
> >
> >
> > Thank you,
> >
> >
> >
> > Davis Yost
> >
> > Associate Director of Security and Networks
> >
> > Northwood University
> >
> > yost () northwood edu
> >
> > 989.837.4185 office
> >
> > 989.859.7761 cell