Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: inital passwords for students
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 6 Dec 2013 10:04:15 -0500

In the past, we set students' initial passwords to date of birth, and the
relevant email notifying them that their account had been created told them
the correct format (yymmdd or whatever). We're moving away from this
however, as it's never been terribly secure, and with the way students
share personal information on Facebook and whatever, it's even less so
today.

Our new approach is to set initial passwords to randomly generated strings
of characters that meet our password complexity requirements. These strings
are not saved, and are never given to anyone. Instead, the email notifying
students that their account has been created directs them to our password
reset page, where they are able to choose their own password after
providing enough information to verify their identity.

We require passwords to be changed twice a year (180 days).

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 9:33 AM, Yost, Davis <yost () northwood edu> wrote:

Group,



Looking for guidance on emailing initial passwords to students, dose
anyone do this?  What do you use for the initial password?  How often do
you require students to change there password?





Thank you,



Davis Yost

Associate Director of Security and Networks

Northwood University

yost () northwood edu

989.837.4185 office

989.859.7761 cell




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault