Main Nav

Group,

 

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial password?  How often do you require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

yost@northwood.edu

989.837.4185 office

989.859.7761 cell

 

Comments

Hi, Our students activate their accounts using their ssn/dob - once the account is active, we require password change every 6 months Thanks, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

We require passwords to be changed twice a year (180 days).

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



“providing enough information to verify their identity.”……   What information do you require?

 

 

Thanks

Eric

 

 

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 9:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Do you have a commercial password reset page?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 10:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Message from nxg13@psu.edu

Our University requires that students do the following to get their first password:

 

Resident Students

 

This is accomplished during “New Student Orientation”.  Students are taken to a “signature station” – generally in our public computing labs on one of our campuses – to complete an account initiation process.  They authenticate using their university-provided mag-stripe ID card.  At that point, they are required to agree to specific university policies related to computing, etc.  Then, they can select their own password – as long as it complies with the password complexity rules.

 

Online Students

 

These students receive their first password via U.S. Mail during their registration process.  They are required to change it on first login.  It is a random string of characters – upper/lower/number/symbol.

 

Passwords are required to be changed every 12 months.  However, if a password is 11 months old, the user is forced to change it if they log in to our single-signon service.  Some services that don’t use our SSO (a POP3 or IMAP email client, for example) don’t have the hooks to launch the password reset website, so we don’t force the password to be changed between the 11th and 12th month time periods if only those services are being used.  Accounts with passwords over 12 months are locked out and require a physical visit to one of our helpdesk locations.  Our online students have a telephone helpdesk that handles password resets, but everyone else is required to be physically present with a University ID card to get a password reset.

 

---

Nicklaus A. Giacobe, Ph.D.

Research Associate and Lecturer

Phone: 814-865-8233

College of Information Sciences and Technology

Penn State University

101 Information Sciences and Technology Building

University Park, PA 16802

 

Hi Davis,

 

We use DOB as the initial password.

We require the password to be changed annually for AD, and every 120 days for the Banner portal. There are currently no password changes enforced for our learning management systems.

 

We would prefer to enforce annual password changes for students, but the portal is back ended by our Banner ERP which includes staff and faculty financial data, hence the forced change.

 

 

Hugh Burley

TRU - Senior Technology Coordinator

Information Security

CISSP, CIPP/C, CISA

Security, Privacy, Audit

250-852-6351

infosecurity@tru.ca

 

 

 

Message from dan.schwartz@lehigh.edu

Hi - 

We send a letter out with a banner id number and a generated pin which they then use to initially open their accounts, after which they use a username / password.  

We are currently in the process of changing that practice for student accounts to use a SAML or CAS connection from the applicant portal to do the initial authentication to create their account.  This way they don't need to wait for an initial password from us to arrive by mail, and we eliminate security concerns with email.  We implicitly trust that if they have entered all their personal information into the applicant portal, and based on that we've vetted their data and gone on to offer them admission, that they are who they say they are. 

We currently require password changes 2 times per year, though everyone is allowed to change their password more often.   I'd like to vary the expiration interval based on password complexity and length but haven't implemented that concept yet.

-- 
Dan Schwartz | LTS - Systems and Networking  | Lehigh University | das1@lehigh.edu | (610) 758-5061



We are planning to implement a process based on the guidance in NIST SP 800-63-2 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)

 

Where we would send the student a onetime use password reset link to an email address of record that was supplied by the applicant during the application process.

 

The main quote to refer to in the document is in Table 3 – Identity Proofing Requirements by Assurance Level

 

“If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use

and shall be valid for a maximum lifetime of seven days;”

 

> “providing enough information to verify their identity.”……   What information do you require?

We require Student/Staff/Faculty ID number, NetID (username), Date of Birth, and, if the individual has ever been employed by the university, last four digits of SSN/TIN.

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



The initial password is based on date of birth and it must be changed before connecting to our services. We have a self-service password process that enforces our password policy and passwords must be changed once every four months. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8798 Barron.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/
> Do you have a commercial password reset page?

No; for a variety of reasons we elected to go the home-grown route. It's a single page with three functions: Look Up NetID, Change Password, and Reset Password. 

You can see the first part of it, at least, at https://account.newschool.edu

--Dave

 


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



At Creighton University we have a home grown application that creates a one-time password (OTP) for all new AD accounts.  Students receive their OTP from the admissions process, faculty and staff receive their OTP from their hiring manager.  All individuals use their OTP and date of birth to setup a security profile (security questions and answers along with an alternate email or text capable number) and then they set their AD password.  AD password live for 180 days.  The security profile then ties to a password self-service tool that allow users to reset forgotten password through security questions and a verification code that is sent to the alternative email or text device.  We never subsequently change a users password if they cannot use the self-service portal (forgot the answers to their security questions, etc.), we instead provide a new OTP (following verification of identity) so a new security profile can be created.

 

We have found the process to work well and password calls to the service desk have declined.

 

Bryan McLaughlin

Information Security Officer

Creighton University

bmclaughlin@creighton.edu

402-280-2386

 

We do not use a commercial password management application. We've build our own for a variety of legacy reasons. There may be changes to this in the future, as we develop a more comprehensive identity and access management (IAM) strategy.

Accounts begin life in a "ready to activate" state, and are unusable until activated. To activate a new account, we require the user's university ID number and their date of birth. We send the student's university ID number in their welcome packet, sent by US mail to their "permanent address." We remind users to change their password when it reaches an age of 90 days. We give the user 30 days to comply, with daily reminder emails sent the last 10 days. We the account when the password age exceeds 120 days by resetting the password to a random value. We have a separate mechanism to isolate misbehaving accounts.

Users may recover their account access through our "Forgot Password" process. This works for scrambled/locked accounts as well as a regular forgotten password. To recover an account, the user must provide their username, university ID number, date of birth, and the answer to their security question. If they've not set a security question (because it's not yet required), the user must visit the help desk or a lab and provide photo ID. The help desk then provides an "authorization code" which becomes the user's security question until used. Off-campus users needing password reset must be vouched for by a supervisor, department head, or similar authority, before a similar procedure is followed.

Our password guidelines require 8-32 characters with a minimum of 1 character from three of four "food groups": uppercase, lowercase, numbers, and specials, along with a few other requirements.

Our process is undergoing some changes in preparation for inclusion in a broader IAM initiative. Any changes will be based on the guidance in NIST SP 800-63.

One problem we've run into several times is the circumstance surrounding deceased users. We've had to deal with the situation of allowing next of kin or executors access to the email or file accounts of deceased students and staff. Our current procedure is to treat the access request as a remote user forgotten password situation with additional requirements. We use the Supervisor/Department Head approval process and paperwork, and request a copy of a death certificate. With that information in hand, the next of kin or executor visits a lab or help desk and is allowed to reset the password for the account. We also agree with the individual on a time period of access, usually somewhere between 2 days and a week, after which access is revoked.

-- 
Don Faulkner, CISSP | CISO at the University of Arkansas
contact>> donf@uark.edu | +1 (479) 575-2901
connect>> uarkITS on Facebook | @uaits | @dfaulkner
On 12/06/2013 08:33 AM, Yost, Davis wrote:

Group,

 

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial password?  How often do you require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

yost@northwood.edu

989.837.4185 office

989.859.7761 cell

 


Group,

 

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial password?  How often do you require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

yost@northwood.edu

989.837.4185 office

989.859.7761 cell

 

Hi, Our students activate their accounts using their ssn/dob - once the account is active, we require password change every 6 months Thanks, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

We require passwords to be changed twice a year (180 days).

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



“providing enough information to verify their identity.”……   What information do you require?

 

 

Thanks

Eric

 

 

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 9:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Do you have a commercial password reset page?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 10:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Message from nxg13@psu.edu

Our University requires that students do the following to get their first password:

 

Resident Students

 

This is accomplished during “New Student Orientation”.  Students are taken to a “signature station” – generally in our public computing labs on one of our campuses – to complete an account initiation process.  They authenticate using their university-provided mag-stripe ID card.  At that point, they are required to agree to specific university policies related to computing, etc.  Then, they can select their own password – as long as it complies with the password complexity rules.

 

Online Students

 

These students receive their first password via U.S. Mail during their registration process.  They are required to change it on first login.  It is a random string of characters – upper/lower/number/symbol.

 

Passwords are required to be changed every 12 months.  However, if a password is 11 months old, the user is forced to change it if they log in to our single-signon service.  Some services that don’t use our SSO (a POP3 or IMAP email client, for example) don’t have the hooks to launch the password reset website, so we don’t force the password to be changed between the 11th and 12th month time periods if only those services are being used.  Accounts with passwords over 12 months are locked out and require a physical visit to one of our helpdesk locations.  Our online students have a telephone helpdesk that handles password resets, but everyone else is required to be physically present with a University ID card to get a password reset.

 

---

Nicklaus A. Giacobe, Ph.D.

Research Associate and Lecturer

Phone: 814-865-8233

College of Information Sciences and Technology

Penn State University

101 Information Sciences and Technology Building

University Park, PA 16802

 

Hi Davis,

 

We use DOB as the initial password.

We require the password to be changed annually for AD, and every 120 days for the Banner portal. There are currently no password changes enforced for our learning management systems.

 

We would prefer to enforce annual password changes for students, but the portal is back ended by our Banner ERP which includes staff and faculty financial data, hence the forced change.

 

 

Hugh Burley

TRU - Senior Technology Coordinator

Information Security

CISSP, CIPP/C, CISA

Security, Privacy, Audit

250-852-6351

infosecurity@tru.ca

 

 

 

Message from dan.schwartz@lehigh.edu

Hi - 

We send a letter out with a banner id number and a generated pin which they then use to initially open their accounts, after which they use a username / password.  

We are currently in the process of changing that practice for student accounts to use a SAML or CAS connection from the applicant portal to do the initial authentication to create their account.  This way they don't need to wait for an initial password from us to arrive by mail, and we eliminate security concerns with email.  We implicitly trust that if they have entered all their personal information into the applicant portal, and based on that we've vetted their data and gone on to offer them admission, that they are who they say they are. 

We currently require password changes 2 times per year, though everyone is allowed to change their password more often.   I'd like to vary the expiration interval based on password complexity and length but haven't implemented that concept yet.

-- 
Dan Schwartz | LTS - Systems and Networking  | Lehigh University | das1@lehigh.edu | (610) 758-5061



We are planning to implement a process based on the guidance in NIST SP 800-63-2 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)

 

Where we would send the student a onetime use password reset link to an email address of record that was supplied by the applicant during the application process.

 

The main quote to refer to in the document is in Table 3 – Identity Proofing Requirements by Assurance Level

 

“If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use

and shall be valid for a maximum lifetime of seven days;”

 

> “providing enough information to verify their identity.”……   What information do you require?

We require Student/Staff/Faculty ID number, NetID (username), Date of Birth, and, if the individual has ever been employed by the university, last four digits of SSN/TIN.

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



The initial password is based on date of birth and it must be changed before connecting to our services. We have a self-service password process that enforces our password policy and passwords must be changed once every four months. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8798 Barron.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/
> Do you have a commercial password reset page?

No; for a variety of reasons we elected to go the home-grown route. It's a single page with three functions: Look Up NetID, Change Password, and Reset Password. 

You can see the first part of it, at least, at https://account.newschool.edu

--Dave

 


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



At Creighton University we have a home grown application that creates a one-time password (OTP) for all new AD accounts.  Students receive their OTP from the admissions process, faculty and staff receive their OTP from their hiring manager.  All individuals use their OTP and date of birth to setup a security profile (security questions and answers along with an alternate email or text capable number) and then they set their AD password.  AD password live for 180 days.  The security profile then ties to a password self-service tool that allow users to reset forgotten password through security questions and a verification code that is sent to the alternative email or text device.  We never subsequently change a users password if they cannot use the self-service portal (forgot the answers to their security questions, etc.), we instead provide a new OTP (following verification of identity) so a new security profile can be created.

 

We have found the process to work well and password calls to the service desk have declined.

 

Bryan McLaughlin

Information Security Officer

Creighton University

bmclaughlin@creighton.edu

402-280-2386

 

We do not use a commercial password management application. We've build our own for a variety of legacy reasons. There may be changes to this in the future, as we develop a more comprehensive identity and access management (IAM) strategy.

Accounts begin life in a "ready to activate" state, and are unusable until activated. To activate a new account, we require the user's university ID number and their date of birth. We send the student's university ID number in their welcome packet, sent by US mail to their "permanent address." We remind users to change their password when it reaches an age of 90 days. We give the user 30 days to comply, with daily reminder emails sent the last 10 days. We the account when the password age exceeds 120 days by resetting the password to a random value. We have a separate mechanism to isolate misbehaving accounts.

Users may recover their account access through our "Forgot Password" process. This works for scrambled/locked accounts as well as a regular forgotten password. To recover an account, the user must provide their username, university ID number, date of birth, and the answer to their security question. If they've not set a security question (because it's not yet required), the user must visit the help desk or a lab and provide photo ID. The help desk then provides an "authorization code" which becomes the user's security question until used. Off-campus users needing password reset must be vouched for by a supervisor, department head, or similar authority, before a similar procedure is followed.

Our password guidelines require 8-32 characters with a minimum of 1 character from three of four "food groups": uppercase, lowercase, numbers, and specials, along with a few other requirements.

Our process is undergoing some changes in preparation for inclusion in a broader IAM initiative. Any changes will be based on the guidance in NIST SP 800-63.

One problem we've run into several times is the circumstance surrounding deceased users. We've had to deal with the situation of allowing next of kin or executors access to the email or file accounts of deceased students and staff. Our current procedure is to treat the access request as a remote user forgotten password situation with additional requirements. We use the Supervisor/Department Head approval process and paperwork, and request a copy of a death certificate. With that information in hand, the next of kin or executor visits a lab or help desk and is allowed to reset the password for the account. We also agree with the individual on a time period of access, usually somewhere between 2 days and a week, after which access is revoked.

-- 
Don Faulkner, CISSP | CISO at the University of Arkansas
contact>> donf@uark.edu | +1 (479) 575-2901
connect>> uarkITS on Facebook | @uaits | @dfaulkner
On 12/06/2013 08:33 AM, Yost, Davis wrote:

Group,

 

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial password?  How often do you require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

yost@northwood.edu

989.837.4185 office

989.859.7761 cell

 


Group,

 

Looking for guidance on emailing initial passwords to students, dose anyone do this?  What do you use for the initial password?  How often do you require students to change there password?

 

 

Thank you,

 

Davis Yost

Associate Director of Security and Networks

Northwood University

yost@northwood.edu

989.837.4185 office

989.859.7761 cell

 

Hi, Our students activate their accounts using their ssn/dob - once the account is active, we require password change every 6 months Thanks, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

We require passwords to be changed twice a year (180 days).

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



“providing enough information to verify their identity.”……   What information do you require?

 

 

Thanks

Eric

 

 

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 9:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Do you have a commercial password reset page?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Friday, December 6, 2013 10:04 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] inital passwords for students

 

In the past, we set students' initial passwords to date of birth, and the relevant email notifying them that their account had been created told them the correct format (yymmdd or whatever). We're moving away from this however, as it's never been terribly secure, and with the way students share personal information on Facebook and whatever, it's even less so today.

 

Our new approach is to set initial passwords to randomly generated strings of characters that meet our password complexity requirements. These strings are not saved, and are never given to anyone. Instead, the email notifying students that their account has been created directs them to our password reset page, where they are able to choose their own password after providing enough information to verify their identity.

 

We require passwords to be changed twice a year (180 days).

 

--Dave


 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

 

Message from nxg13@psu.edu

Our University requires that students do the following to get their first password:

 

Resident Students

 

This is accomplished during “New Student Orientation”.  Students are taken to a “signature station” – generally in our public computing labs on one of our campuses – to complete an account initiation process.  They authenticate using their university-provided mag-stripe ID card.  At that point, they are required to agree to specific university policies related to computing, etc.  Then, they can select their own password – as long as it complies with the password complexity rules.

 

Online Students

 

These students receive their first password via U.S. Mail during their registration process.  They are required to change it on first login.  It is a random string of characters – upper/lower/number/symbol.

 

Passwords are required to be changed every 12 months.  However, if a password is 11 months old, the user is forced to change it if they log in to our single-signon service.  Some services that don’t use our SSO (a POP3 or IMAP email client, for example) don’t have the hooks to launch the password reset website, so we don’t force the password to be changed between the 11th and 12th month time periods if only those services are being used.  Accounts with passwords over 12 months are locked out and require a physical visit to one of our helpdesk locations.  Our online students have a telephone helpdesk that handles password resets, but everyone else is required to be physically present with a University ID card to get a password reset.

 

---

Nicklaus A. Giacobe, Ph.D.

Research Associate and Lecturer

Phone: 814-865-8233

College of Information Sciences and Technology

Penn State University

101 Information Sciences and Technology Building

University Park, PA 16802

 

Hi Davis,

 

We use DOB as the initial password.

We require the password to be changed annually for AD, and every 120 days for the Banner portal. There are currently no password changes enforced for our learning management systems.

 

We would prefer to enforce annual password changes for students, but the portal is back ended by our Banner ERP which includes staff and faculty financial data, hence the forced change.

 

 

Hugh Burley

TRU - Senior Technology Coordinator

Information Security

CISSP, CIPP/C, CISA

Security, Privacy, Audit

250-852-6351

infosecurity@tru.ca

 

 

 

Message from dan.schwartz@lehigh.edu

Hi - 

We send a letter out with a banner id number and a generated pin which they then use to initially open their accounts, after which they use a username / password.  

We are currently in the process of changing that practice for student accounts to use a SAML or CAS connection from the applicant portal to do the initial authentication to create their account.  This way they don't need to wait for an initial password from us to arrive by mail, and we eliminate security concerns with email.  We implicitly trust that if they have entered all their personal information into the applicant portal, and based on that we've vetted their data and gone on to offer them admission, that they are who they say they are. 

We currently require password changes 2 times per year, though everyone is allowed to change their password more often.   I'd like to vary the expiration interval based on password complexity and length but haven't implemented that concept yet.

-- 
Dan Schwartz | LTS - Systems and Networking  | Lehigh University | das1@lehigh.edu | (610) 758-5061



We are planning to implement a process based on the guidance in NIST SP 800-63-2 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)

 

Where we would send the student a onetime use password reset link to an email address of record that was supplied by the applicant during the application process.

 

The main quote to refer to in the document is in Table 3 – Identity Proofing Requirements by Assurance Level

 

“If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use

and shall be valid for a maximum lifetime of seven days;”

 

> “providing enough information to verify their identity.”……   What information do you require?

We require Student/Staff/Faculty ID number, NetID (username), Date of Birth, and, if the individual has ever been employed by the university, last four digits of SSN/TIN.

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



The initial password is based on date of birth and it must be changed before connecting to our services. We have a self-service password process that enforces our password policy and passwords must be changed once every four months. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8798 Barron.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/
> Do you have a commercial password reset page?

No; for a variety of reasons we elected to go the home-grown route. It's a single page with three functions: Look Up NetID, Change Password, and Reset Password. 

You can see the first part of it, at least, at https://account.newschool.edu

--Dave

 


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



At Creighton University we have a home grown application that creates a one-time password (OTP) for all new AD accounts.  Students receive their OTP from the admissions process, faculty and staff receive their OTP from their hiring manager.  All individuals use their OTP and date of birth to setup a security profile (security questions and answers along with an alternate email or text capable number) and then they set their AD password.  AD password live for 180 days.  The security profile then ties to a password self-service tool that allow users to reset forgotten password through security questions and a verification code that is sent to the alternative email or text device.  We never subsequently change a users password if they cannot use the self-service portal (forgot the answers to their security questions, etc.), we instead provide a new OTP (following verification of identity) so a new security profile can be created.

 

We have found the process to work well and password calls to the service desk have declined.

 

Bryan McLaughlin

Information Security Officer

Creighton University

bmclaughlin@creighton.edu

402-280-2386

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.