Educause Security Discussion mailing list archives
Re: Secure communication of passwords
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Thu, 29 Jan 2015 04:15:12 +0000
We are planning to implement a mechanism where users can supply a personal email address when they apply, get hired, etc. that would then be considered an 'address of record'. We would then send one-time-use, time-limited links to the users that could be used to set initial password or to reset passwords. Our goal is for this mechanism to conform to the credential issuance procedures described in NIST SP 800-63 <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf> for LOA 2 credentials. "If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use and shall be valid for a maximum lifetime of seven days" From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Wednesday, January 28, 2015 3:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Secure communication of passwords On occasion we need to communicate a password (with a possible username) with a user. This is generally for some external system that doesn't integrate into existing authentication mechanisms. Per our policy, we can't send the password via email and it shouldn't be written down. We generally try to communicate it via a phone call if possible, with a text message to a verified number as a backup. Unfortunately neither of these are convenient, so I wondered what others are using for this task. Thomas Carter Network and Operations Manager Austin College 903-813-2564 AusColl_Logo_Email
Attachment:
smime.p7s
Description:
Current thread:
- Secure communication of passwords Thomas Carter (Jan 28)
- Re: Secure communication of passwords Ric Getter (Jan 28)
- Re: Secure communication of passwords Mike Osterman (Jan 28)
- Re: Secure communication of passwords Shalla, Kevin (Jan 28)
- Re: Secure communication of passwords Mike Osterman (Jan 28)
- Re: Secure communication of passwords Joel L. Rosenblatt (Jan 28)
- Re: Secure communication of passwords Greg Williams (Jan 28)
- Re: Secure communication of passwords King, Ronald A. (Jan 29)
- Re: Secure communication of passwords Tipps, Greg (Greg Tipps) (Jan 28)
- Re: Secure communication of passwords Mike Osterman (Jan 28)
- Re: Secure communication of passwords Jones, Mark B (Jan 28)
- <Possible follow-ups>
- Secure communication of passwords Cochran, Marlowe (Feb 05)
- Re: Secure communication of passwords Thomas Carter (Feb 05)
- Re: Secure communication of passwords Frank Barton (Feb 05)
- Re: Secure communication of passwords Thomas Carter (Feb 05)
- Re: Secure communication of passwords Cam Beasley (Feb 05)
- Re: Secure communication of passwords Ric Getter (Jan 28)