Main Nav

I have confirmed this email was also sent to our members using federated authentication via InCommon. Do these users really need to reset their password? Since some users will not understand the difference and will follow the EDUCAUSE password reset procedure, what will happen to these member accounts? Will they still be linked to the InCommon login process? Thanks, Dan (2/19/2013 11:49 AM) Matthew Milliron said the following: > The information about an EDUCAUSE server breach is accurate. > > We have just notified all members and the community via e-mail and social media outlets. > > The e-mail notification was sent through our e-mail marketing product (Informz). Links within the e-mail are redirected through our marketing product. > > Please note that the password reset page is responding slowly due to increased traffic. Old password have already been deactivated; therefore, you do not need to change your password immediately. We expect traffic to the page to decrease later today and tomorrow. > > For more information please visit: http://www.educause.edu/securitybreach > > Thank you for your understanding and patience. > > Regards, > Matthew > > Matthew Milliron, Ed.D. > Chief Information Officer > > EDUCAUSE > Uncommon Thinking for the Common Good > 282 Century Place, Suite 5000, Louisville, CO 80027 > direct: 303.939.0305 | main: 303.449.4430 | fax: 303.440.0461 | educause.edu -- Dan Malone dmalone@calpoly.edu Cal Poly State University - San Luis Obispo
AttachmentSize
smime.p7s3.6 KB

Comments

On 2/19/2013 4:28 PM, Dan Malone wrote: > I have confirmed this email was also sent to our members using federated > authentication via InCommon. > Do these users really need to reset their password? The message I received included this paragraph: >> It is not necessary for InCommon account holders to update their >> institutional credentials because EDUCAUSE does not have access to, >> or store on any server, InCommon account information. Another win for federated login! -- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%
Message from derek.diget+idm-educause@wmich.edu

On Feb 19, 2013 at 16:44 -0600, Christopher Bongaarts wrote: =>On 2/19/2013 4:28 PM, Dan Malone wrote: =>> I have confirmed this email was also sent to our members using federated =>> authentication via InCommon. =>> Do these users really need to reset their password? => =>The message I received included this paragraph: => =>> > It is not necessary for InCommon account holders to update their =>> > institutional credentials because EDUCAUSE does not have access to, =>> > or store on any server, InCommon account information. => =>Another win for federated login! Note the use of "institutional". It really does not address any still local to EDUCAUSE credentials. For example, we had a user that had "sync'd"[1] their EDUCAUSE profile to use InCommon logins, but this past Friday they were still able to login using their "stand-alone" EDUCAUSE password. (They forget to use the InCommon login since their password manager app had filed in the username/password fields and were able to log in the old way.) That means to me if you had a "stand-alone" EDUCAUSE profile that was converted/merged/sync'd to also use InCommon, the "stand-alone" password was NOT removed from the profile. This causes at least two issues. One, based on this user experience their "stand-alone" password was still in the database, if they did human password sync'ing (used their institutional password - against policy and best practice at other sites) the user should still change their institutional password. If they used a different password than what was used at the institution, but was used at other sites they might want to change their password at those other sites, too. Especially is the sites use the same username/email address as part of the login process. Two, what controls the "deactivated" flag on the profile/account? Tomorrow the user above is planing to first try logging in with their "stand-alone" password. We hope they get the deactivated notice, but they won't reset their local-to-EDUCAUSE password. Then they will try to login in with their InCommon credentials. And finally, (after logging out/closing browser), retry to login with the "stand-alone" password again. This is to see if a successful InCommon login will clear the "deactivated" flag but without doing a password reset. Thus allowing the compromised password to stay in the database. Note 1: User was sent an EDUCAUSE "invite-to-sync profile/account " email several months ago. They associated their EDUCAUSE account/profile with their WMU account several months ago and has normally been logging in via InCommon. -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ ***********************************************************************
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.