Educause Security Discussion mailing list archives
Re: default password
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 1 Sep 2016 08:36:05 -0400
Valdis, We don't inform them of the initial password's value. When they go in for a self-service password reset they use certain pieces of information that had previously been communicated with us to confirm identity. This then allows them to manually reset their password. It's not a perfect solution, given that some of the information can be found on social media, we are looking at out-of-band one-time-passwords for verification (SMS, voice call to known number, email to personal account, etc.) but there are concerns about those also (see recent NIST draft suggestions) which makes this whole conversation more... interesting... Frank On Wed, Aug 31, 2016 at 4:58 PM, Valdis Kletnieks <Valdis.Kletnieks () vt edu> wrote:
On Wed, 31 Aug 2016 08:14:03 -0400, Frank Barton said:We create random passwords that are not shared with anybody, Users thenusea self-service reset to set their own passwordWhat method do people use to notify users of a random initial password's value?
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- default password Mark Reboli (Aug 30)
- Re: default password Frank Barton (Aug 31)
- Re: default password Charles Curtis (Aug 31)
- Re: default password Valdis Kletnieks (Aug 31)
- Re: default password Frank Barton (Sep 01)
- Person has Retired: Re: [SECURITY] default password John Kilgore (Sep 01)
- Re: default password Cris Harshman (Sep 01)
- Re: default password Frank Barton (Sep 01)
- Re: default password Mark Reboli (Sep 01)
- Re: default password Frank Barton (Aug 31)
- <Possible follow-ups>
- Re: default password Boyd, Daniel (Sep 02)