Salvatore Saieva <SLVQC@CUNYVM.BITNET> (06/17/91)
In article <1721@toaster.SFSU.EDU>, eps@toaster.SFSU.EDU (Eric P. Scott) says: > >In article <9106141908.AA25449@cheops.cis.ohio-state.edu> > Greg Johnson > <CCGREG%UMCVMB.MISSOURI.EDU@OHSTVMA.ACS.OHIO-STATE.EDU> > writes: [a lot of deleted text...] >> We use >>the student's birthdate as their initial password. > >We don't, it's too easy to obtain. > [a lot more text deleted] Initial account passwords are an important consideration. When I read about Greg's idea of using birthdays in ``The Guidebook,'' I thought it was a great idea. The biggest problem in setting initial passwords is distribution: How do you get these passwords to the users? Of course one wants the password to be somewhat complicated to avoid unauthorized breakins, but it can become a huge amount of work to distribute passwords to users; ie: mail passwords to users at the start of a semester, or (even worse) have a consultant distribute passwords after verifying the user's id. Sal. ------- Salvatore Saieva Internet: slvqc@cunyvm.cuny.edu Queens College, Academic Computer Center BITNET: slvqc@cunyvm.bitnet 65-30 Kissena Blvd, Flushing, N.Y. 11367 DeskNet: (718) 520-7662 awk, sed, grep, lex, yacc, make, >, <, |,... ``I got the Power!''
eps@toaster.SFSU.EDU (Eric P. Scott) (06/18/91)
In article <91168.102708SLVQC@CUNYVM.BITNET> SLVQC@CUNYVM.BITNET (Salvatore Saieva) writes: > but it can become >a huge amount of work to distribute passwords to users; ie: mail passwords >to users at the start of a semester, If you're clever, you only have to worry about password distribution once per person per "lifetime." At a typical school, students don't get new student numbers each semester--that stuff is handled ONCE, and they get periodic validation stickers for their ID cards. You can do the same thing electronically (I'll leave the details as an exercise for the reader :-) ). > or (even worse) have a consultant >distribute passwords after verifying the user's id. What? You don't trust your consultants? You've got bigger problems... For our AC NeXT cluster, each new user receives a letter-sized sheet folded in thirds: top / \ / The top third is visible, and bears the identifying information. Most of the top two-thirds is a "welcome" letter, which (among other things) instructs the user to change his/her password IMMEDIATELY and TELL NO ONE. The initial password appears somewhere on the middle third. The bottom third is printed with a guard pattern, and the sheet is stapled. These are collated and can be picked up upon presentation of proper ID. Simple, inexpensive, relatively painless. (And it has a "paper trail," which administrative types like.) -=EPS=-