Educause Security Discussion mailing list archives
Re: inital passwords for students
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 6 Dec 2013 13:29:33 -0500
Do you have a commercial password reset page?
No; for a variety of reasons we elected to go the home-grown route. It's a single page with three functions: Look Up NetID, Change Password, and Reset Password. You can see the first part of it, at least, at https://account.newschool.edu --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Fri, Dec 6, 2013 at 1:19 PM, David Curry <david.curry () newschool edu>wrote:
“providing enough information to verify their identity.”…… Whatinformation do you require? We require Student/Staff/Faculty ID number, NetID (username), Date of Birth, and, if the individual has ever been employed by the university, last four digits of SSN/TIN. --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Fri, Dec 6, 2013 at 10:07 AM, Stevens, Eric J. <STEVENEJ () uwec edu>wrote:“providing enough information to verify their identity.”…… What information do you require? Thanks Eric *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Curry *Sent:* Friday, December 6, 2013 9:04 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] inital passwords for students In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today. Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity. We require passwords to be changed twice a year (180 days). --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Fri, Dec 6, 2013 at 9:33 AM, Yost, Davis <yost () northwood edu> wrote: Group, Looking for guidance on emailing initial passwords to students, dose anyone do this? What do you use for the initial password? How often do you require students to change there password? Thank you, Davis Yost Associate Director of Security and Networks Northwood University yost () northwood edu 989.837.4185 office 989.859.7761 cell
Current thread:
- inital passwords for students Yost, Davis (Dec 06)
- Re: inital passwords for students Joel L. Rosenblatt (Dec 06)
- Re: inital passwords for students David Curry (Dec 06)
- Re: inital passwords for students Stevens, Eric J. (Dec 06)
- Re: inital passwords for students David Curry (Dec 06)
- Re: inital passwords for students David Curry (Dec 06)
- Re: inital passwords for students Stevens, Eric J. (Dec 06)
- Re: inital passwords for students Yost, Davis (Dec 06)
- Re: inital passwords for students Nick Giacobe (Dec 06)
- Re: inital passwords for students Hugh Burley (Dec 06)
- Re: inital passwords for students Dan Schwartz (Dec 06)
- Re: inital passwords for students Jones, Mark B (Dec 06)
- Re: inital passwords for students Barron Hulver (Dec 06)
- Re: inital passwords for students McLaughlin, Bryan S. (Dec 06)
- Re: inital passwords for students Don Faulkner (Dec 10)