Communicating and Resetting Passwords for Sponsored People

This document explains resetting UMICH passwords for certain sponsored individuals. For some people, passwords are reset by the ITS Service Center; for others, passwords are reset by departmental sponsorship administrators. This document provides instructions for resetting sponsored individuals' passwords using the MCommunity Sponsor System. It also includes instructions for communicating passwords securely.

Sponsored Individuals Can Change Their Own Passwords

Sponsored people can change their own UMICH passwords via the U-M Change Your Password page.

If, however, the sponsored person has forgotten his or her password, the password will need to be reset by either the ITS Service Center or a sponsorship administrator.

Who Resets Which Passwords

To reset someone's UMICH password when he/she has forgotten it, you must be certain the person's identity is verified. This way, you prevent unauthorized access to U-M computing resources; you protect other users of computing resources, the resources themselves, and the university's reputation. You must be able to verify the person's identity to make sure the uniqname associated with the reset password really is theirs. That's the key idea behind who is allowed to reset passwords for which sponsored people.

The ITS Service Center Resets Passwords for People with Wolverine Access Entries

The ITS Service Center resets passwords for faculty, staff (regular and temporary), students and alumni. Service Center staff members have access to Wolverine Access and MCommunity, so they have access to enough identity information about these people to verify their identity over the phone or in person.

Most longer-term sponsored individuals are required to provide enough identity information (birthdate, address and so on) for an entry in Wolverine Access. Therefore, the ITS Service Center can verify their identity before resetting their password. This includes contractors, academic affiliates, temporary staff members, and incoming faculty and staff.

The Service Center can reset passwords for sponsored people who do not have Wolverine Access entries only in response to a request from the sponsoring unit when that unit has verified the person's identity.

Sponsorship Administrators Reset Passwords for Others

Shorter-term sponsored people, such as conference participants, as well as long-term guests, are required to provide only minimal identity information in order to be sponsored by a department or unit. They do not get an entry in Wolverine Access. The ITS Service Center does not have enough information to verify the identity of these people and must rely on the sponsoring unit to do so.

Sponsorship administrators for the sponsoring unit can reset passwords for long-term guests and for people with temporary uniqnames using the MCommunity Sponsor System—that is, for people who do not have Wolverine Access entries.

Why can't departments reset passwords for sponsored people who have Wolverine Access entries? It's a security issue. A sponsorship administrator can add a sponsorship to any member of the university community. For example, a sponsorship administrator could add a sponsorship to a faculty member in another department. Then, if departments were able to reset passwords for anyone they sponsor, the administrator could reset that individual's password. While most university employees are honest and would never do such a thing, allowing it would create a security risk.

Resetting UMICH Passwords Using the Sponsor System

Important You must be a sponsorship administrator for the department or unit that sponsored the person who needs a password reset. Ideally, you will be resetting a password for someone whose sponsorship you set up.

Follow these steps to change the password for an existing sponsorship:

  1. Login to the Sponsor System. You will see the View and Modify Sponsorships page. From this page, you can edit individual sponsorships and reset the password.

  2. Click a uniqname to see that person's sponsorship details.

    Screenshot of View and Modify Sponsorships. Click on a uniqname to view or edit the entry.

     

  3. Click Reset password, and the password will be reset. The only change you will see is that the Reset password button has changed to View password.

    Screenshot of View and Modify Sponsorships. Click the 'Reset password' button. The 'Reset password' button will change to read 'View password.'

     

  4. Click View password to view the new password.

    Screenshot of View and Modify Sponsorships. Click 'View password' to view the password.

  5. Click Hide password after you have saved the password or provided it to the sponsored person. Please communicate the password securely.

    Screenshot of View and Modify Sponsorships. Click 'hide password' after you have saved it or provided it to the sponsored person.

    Tip Troubleshooting: A grayed-out Reset Password button indicates that you cannot reset the person's password (most likely because there is not enough identity information on record for the ITS Service Center to verify identity). Direct the person to the Service Center to have his/her password reset.

Communicating Passwords Securely

It is your responsibility to follow best practices for securely communicating passwords to sponsored individuals or requesters. You need to be sure that only the intended recipient has access to the password.

Giving a Password to an Individual

When you sponsor an individual or reset a password, you will see the assigned temporary password on your computer screen. Give the password to the sponsored person securely:

  • Tell it to them in person. Do it verbally or hand them a piece of paper with the password on it. Do not write it down anywhere else.

  • Tell it to them verbally over the phone. Be sure you are speaking to the right person. Do not leave the password in voicemail that someone other than the sponsored person might be able to access.

Do not send a password via email. Email is not secure enough for sending passwords.

Inform the sponsored person that the initial or reset password is intended to be temporary. The sponsored person should visit the Change UMICH Password Page as soon as possible to change the password to something private that he or she can remember.

Giving Passwords to Multiple People

If you sponsor multiple people at once by uploading a file, such as a group of conference participants, you will see a list of uniqnames and passwords on your computer screen at the end of the sponsorship creation process. You may need to give this list to a requester, such as a conference organizer or some other person at the university who will convey the passwords to the sponsored individuals. Provide the list of passwords using either a paper copy of the list or secure electronic storage.

Using a Paper List of Passwords

  • Hand the paper copy of the list to the person who will distribute the passwords to the sponsored individuals (most likely the requester).

  • Ask them to communicate the passwords securely, doing so in person and not sending them via email.

  • Do not leave the paper list on a printer or elsewhere where anyone else could see it. Delete the file from your computer as soon as you no longer need it.

  • Once the passwords have been distributed, shred any copies of the paper list.

Sharing the List of Passwords Using Secure Online Storage

  • Upload the list to a secure location that only you and the requester can access. Use secure departmental file space or M+Box (see instructions below) to securely transfer the file using the process below.

  • Do not send the file via email as an attachment.

Communicating a Password List with U-M Box

U-M faculty, staff, students, and sponsored affiliates are eligible for M+Box. Don't have an M+Box account yet? Sign up at UM Box.

  1. Create a new U-M Box folder for the password file.

  2. In the Create New Folder box that appears when you create your folder, click the Keep private for now radio button. Then click Okay.

  3. To the right of your new folder's name, next to the Share link, click the button with three dots on it to activate a pop-up menu.

    Screen shot of Share button.

  4. From that pop-up menu, select Properties, then Folder Settings.

  5. On the Folder Settings page, scroll down to the Invitation Link section.

    1. Check the Enable collaborator invitation links checkbox if it is not already checked.

    2. Below that, in the Users can join with the role box, select Previewer.

  6. Scroll down further to the Automated Actions section.

    1. Check the Auto-delete this folder on a selected date checkbox, and enter a date for the folder to be deleted. Choose a date that allows the list recipient enough time to get the list. You might allow an extra week or two, but do not leave the password file available for an extended period of time.

    2. Scroll back to the top of the page, and, in the upper right corner, click the Save Changes button.

  7. Invite collaborators by clicking on the Invite People button in the right hand column of the U-M Box window.

  8. In the Invite to <your folder> window that pops up:

    1. In the Invite box, enter the email address (usually in the form of [email protected]) of the person to whom you are providing the passwords.

    2. In the Invited Permission drop down box, select Previewer.

    3. In the Personal Message (Optional), add a note to this effect:

      This folder will be used for sharing a file of passwords for sponsored people. Watch for another email when the file is available.

    4. Then click Send Invites.

  9. If you are not already inside your new folder, find it in your folder list and click it to open it. Upload the password file to the secure folder by clicking the Upload button, then Files, and choosing the file you need to upload. The recipient will receive a notice that you have added a file to the shared folder.

  10. Share the file by clicking the Share link to the far right of the file name. In the Shared Link for <your file name> dialog box:

    1. In the Email Address box, type the email address (usually in the form of [email protected]) of the person to whom you are providing the password list.

    2. In the Message box, type a message that lets the recipient know how long the password file will be available. Ask them to convey the passwords to the intended recipients securely and ensure that no one else has access to them. We have provided some text below that you can copy and paste into your message if desired.

      <Recipient Name>: You can use this link to access the requested login and password information I have shared with you. Please be aware that the file will automatically be removed on <Date of Expiration>. You are responsible for keeping the information provided secure. Please make sure to give this information only to those who need it, and please make sure to securely destroy/delete any copies of this information.

    3. Click Send.

Instructions for Retrieving Passwords from U-M Box

The person with whom you share the file will need to be signed up to use U-M Box (or just Box if they are not a member of the U-M community). If they have not yet signed up, they can do so at U-M Box by clicking Sign-up for U-M Box.

Each sponsored person should be directed to the UMICH Account Management to change his or her password as soon as possible to something that he or she can remember. If you print a copy of the password file, make sure you store it where no one can see it and shred it when you are finished. Remember, you are responsible for deleting any electronic copies you make!

Tags: 
MCommunity
MCommunity Sponsor System
Last Updated: 
Friday, October 28, 2016 - 00:00