Re: inital passwords for students

[Don Faulkner <donf () UARK EDU>]

We do not use a commercial password management application. We've build
our own for a variety of legacy reasons. There may be changes to this in
the future, as we develop a more comprehensive identity and access
management (IAM) strategy.

Accounts begin life in a "ready to activate" state, and are unusable
until activated. To activate a new account, we require the user's
university ID number and their date of birth. We send the student's
university ID number in their welcome packet, sent by US mail to their
"permanent address." We remind users to change their password when it
reaches an age of 90 days. We give the user 30 days to comply, with
daily reminder emails sent the last 10 days. We the account when the
password age exceeds 120 days by resetting the password to a random
value. We have a separate mechanism to isolate misbehaving accounts.

Users may recover their account access through our "Forgot Password"
process. This works for scrambled/locked accounts as well as a regular
forgotten password. To recover an account, the user must provide their
username, university ID number, date of birth, and the answer to their
security question. If they've not set a security question (because it's
not yet required), the user must visit the help desk or a lab and
provide photo ID. The help desk then provides an "authorization code"
which becomes the user's security question until used. Off-campus users
needing password reset must be vouched for by a supervisor, department
head, or similar authority, before a similar procedure is followed.

Our password guidelines <http://its.uark.edu/passwords.html> require
8-32 characters with a minimum of 1 character from three of four "food
groups": uppercase, lowercase, numbers, and specials, along with a few
other requirements.

Our process is undergoing some changes in preparation for inclusion in a
broader IAM initiative. Any changes will be based on the guidance in
NIST SP 800-63.

One problem we've run into several times is the circumstance surrounding
deceased users. We've had to deal with the situation of allowing next of
kin or executors access to the email or file accounts of deceased
students and staff. Our current procedure is to treat the access request
as a remote user forgotten password situation with additional
requirements. We use the Supervisor/Department Head approval process and
paperwork, and request a copy of a death certificate. With that
information in hand, the next of kin or executor visits a lab or help
desk and is allowed to reset the password for the account. We also agree
with the individual on a time period of access, usually somewhere
between 2 days and a week, after which access is revoked.

-- 
        Don Faulkner, CISSP | CISO <http://its.uark.edu/> at the University of
Arkansas <http://www.uark.edu/>
contact>> donf () uark edu <mailto:donf () uark edu> | +1 (479) 575-2901
connect>> uarkITS on Facebook <http://www.facebook.com/uarkITS> | @uaits
<http://twitter.com/uaits> | @dfaulkner <http://twitter.com/dfaulkner>

On 12/06/2013 08:33 AM, Yost, Davis wrote:
> Group,
>
>  
>
> Looking for guidance on emailing initial passwords to students, dose
> anyone do this?  What do you use for the initial password?  How often
> do you require students to change there password?
>
>  
>
>  
>
> Thank you,
>
>  
>
> Davis Yost
>
> Associate Director of Security and Networks
>
> Northwood University
>
> yost () northwood edu <mailto:yost () northwood edu>
>
> 989.837.4185 office
>
> 989.859.7761 cell
>
>