Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: inital passwords for students
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 6 Dec 2013 13:29:33 -0500

Do you have a commercial password reset page?

No; for a variety of reasons we elected to go the home-grown route. It's a
single page with three functions: Look Up NetID, Change Password, and Reset
Password.

You can see the first part of it, at least, at https://account.newschool.edu

--Dave




--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 1:19 PM, David Curry <david.curry () newschool edu>wrote:

“providing enough information to verify their identity.”……   What
information do you require?

We require Student/Staff/Faculty ID number, NetID (username), Date of
Birth, and, if the individual has ever been employed by the university,
last four digits of SSN/TIN.

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 10:07 AM, Stevens, Eric J. <STEVENEJ () uwec edu>wrote:

 “providing enough information to verify their identity.”……   What
information do you require?





Thanks

Eric













*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Curry
*Sent:* Friday, December 6, 2013 9:04 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] inital passwords for students



In the past, we set students' initial passwords to date of birth, and the
relevant email notifying them that their account had been created told them
the correct format (yymmdd or whatever). We're moving away from this
however, as it's never been terribly secure, and with the way students
share personal information on Facebook and whatever, it's even less so
today.



Our new approach is to set initial passwords to randomly generated
strings of characters that meet our password complexity requirements. These
strings are not saved, and are never given to anyone. Instead, the email
notifying students that their account has been created directs them to our
password reset page, where they are able to choose their own password after
providing enough information to verify their identity.



We require passwords to be changed twice a year (180 days).



--Dave




--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Fri, Dec 6, 2013 at 9:33 AM, Yost, Davis <yost () northwood edu> wrote:

 Group,



Looking for guidance on emailing initial passwords to students, dose
anyone do this?  What do you use for the initial password?  How often do
you require students to change there password?





Thank you,



Davis Yost

Associate Director of Security and Networks

Northwood University

yost () northwood edu

989.837.4185 office

989.859.7761 cell








  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault