Re: Initial Passwords

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

You simply require that new accounts have a a 48-hour advance request
period.  When the account is created, you seal it in an envelope. Users
call the Help Desk to check on the status or if it's been more than 48
hours (2days) they can just drop by the Help Desk with their campus
picture id and you release the credentials.  This works for users who are
physically on campus.   Of course, you have to have methods of protecting
the account from Help Desk workers- especially if you use students as we
do.  So we essentially have professional staff generate the account sheets
and we seal them up.  Key is users know to call the Help Desk- for
EVERYTHING- especially when they don't know where to start..

Dexter Caldwell
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> Gary, thanks for the feedback.
>
> � 
>
> To all,
>
> Our dilemma is this:
>
> � 
>
> Our new users (or their manger) fills out a form requesting accesses to
> different systems based on their function here.�  When we get the form
> and all the appropriate signatures, we create the account and password.� 
> It usually takes us a day or two at the most.�  Our policies do not
> permit us to distribute this via non-secure means such as email, and, the
> user is waiting patiently to be informed, but, we are kind of in a catch
> 22 situation; I can’t email the info to you so you can access your
> email to see that I have created your account, and waiting for the user
> to contact us (provided they know who to contact) isn’t part of our
> customer service practices.
>
> � 
>
> So, how is it other institutions are handling this?
>
> � 
>
>
>
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research 
>
> Suite 401 
>
> 700 Park Ave.
>
> Norfolk, Virginia�  23504
>
> Phone:�  757-823-3918
>
> Email: [ mailto:raking () nsu edu ]raking () nsu edu
>
> [ http://security.nsu.edu ]http://security.nsu.edu
>
>
>
>
> � 
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 1:46 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
>
> � 
>
> Or, if you meant how do you deliver the account to the individual, that's
> a matter of whatever your policies are.�  Since the password is useful
> for one purpose only (to allow itself to be reset) you can deliver the ID
> and password to the individual on a piece of paper, depending on your
> process.�  Worst case is an interloper grabs it and chooses their own
> password in advance of the intended accountholder, in which case the
> latter person will be unable to do the same, and will call you, so the
> interception won't tend to remain undetected.
>
> � 
>
> [Marker]� 
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 1:43 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
>
> � 
>
> You configure the account that way upon its creation.� �  In our case, we
> use Active Directory and Kerberos, so it's possible for the admin to set
> the password's status to expired, and our password-change system
> recognizes that and acts accordingly.
>
> � 
>
> � 
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> Sent: Wednesday, April 01, 2009 1:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
>
> � 
>
> How does one find or get the pre-expired password?
>
> � 
>
> Thanks for the response.
>
> � 
>
>
>
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research 
>
> Suite 401 
>
> 700 Park Ave.
>
> Norfolk, Virginia�  23504
>
> Phone:�  757-823-3918
>
> Email: [ mailto:raking () nsu edu ]raking () nsu edu
>
> [ http://security.nsu.edu ]http://security.nsu.edu
>
>
>
>
> � 
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
> Sent: Wednesday, April 01, 2009 12:51 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Initial Passwords
>
>
>
>
> � 
>
> A good practice is to distribute pre-expired passwords so that the person
> has to immediately change it by visiting your password-change page and
> select a new password.�  This way, their password becomes a secret known
> only to the accountholder.
>
> � 
>
> � 
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> Sent: Wednesday, April 01, 2009 12:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Initial Passwords
>
>
>
>
> � 
>
> I would like to inquire as to what other institutions have in place for
> assigning and distributing passwords for new users in a secure manner?
>
> � 
>
> Ronald King
>
> Security Engineer
>
> Norfolk State University
>
> Marie V. McDemmond Center for Applied Research 
>
> Suite 401 
>
> 700 Park Ave.
>
> Norfolk, Virginia�  23504
>
> Phone:�  757-823-3918
>
> Email: [ mailto:raking () nsu edu ]raking () nsu edu
>
> [ http://security.nsu.edu ]http://security.nsu.edu
>
> �