Re: Secure communication of passwords

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

We are planning to implement a mechanism where users can supply a personal
email address when they apply, get hired, etc.  that would then be
considered an 'address of record'.  We would then send one-time-use,
time-limited links to the users that could be used to set initial password
or to reset passwords.  Our goal is for this mechanism to conform to the
credential issuance procedures described in NIST SP 800-63
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf>
for LOA 2 credentials.

"If personal information in records includes a telephone number or e-mail
address, the CSP issues credentials in a manner that confirms the ability of
the Applicant to receive telephone communications or text message at phone
number or e-mail address associated with the Applicant in records. Any
secret sent over an unprotected session shall be reset upon first use and
shall be valid for a maximum lifetime of seven days"

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter
Sent: Wednesday, January 28, 2015 3:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure communication of passwords

 

On occasion we need to communicate a password (with a possible username)
with a user. This is generally for some external system that doesn't
integrate into existing authentication mechanisms. Per our policy, we can't
send the password via email and it shouldn't be written down. We generally
try to communicate it via a phone call if possible, with a text message to a
verified number as a backup. Unfortunately neither of these are convenient,
so I wondered what others are using for this task. 

 

Thomas Carter

Network and Operations Manager

Austin College 

903-813-2564

AusColl_Logo_Email

Attachment: smime.p7s
Description: