[OPEN-ILS-GENERAL] user passwords for accounts - default?
Kathy Lussier
klussier at masslnc.org
Wed Feb 4 20:36:36 EST 2015
Only tangentially-related, but I would feel more comfortable supporting
a feature like the one Jennifer described with one common password and
would feel better about the phone number password that already exists as
a feature in Evergreen if the catalog regained the ability to check for
password strength at login.
https://bugs.launchpad.net/evergreen/+bug/1013786
I understand the reasons behind providing a simple password at
registration that is easy for users to remember, but we essentially are
giving users a weak password. Although some users may take the
initiative to change their passwords, I'm guessing many just stick with
the password they are given. Forcing them to change their passwords upon
the first login would allow us to provide a convenient, easy-to-remember
password at registration while also ensuring that a stronger password is
ultimately required to access the account.
Kathy
On 02/04/2015 07:06 PM, Walz, Jennifer wrote:
> Martha,
>
> That is very helpful! Thank you. I think maybe we will see if we can just load the duplicate of their barcode from their student id.
>
> Jennifer
> --------------------------------------------------
> Jennifer Walz, MLS - ILS manager
> Kinlaw Library - Asbury University
> One Macklem Drive, Wilmore, KY 40390
> 859-858-3511 ext. 2269
> jlwalz at asbury.edu
>
> -----Original Message-----
> From: Open-ils-general [mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of Martha Driscoll
> Sent: Wednesday, February 04, 2015 5:28 PM
> To: open-ils-general at list.georgialibraries.org
> Subject: Re: [OPEN-ILS-GENERAL] user passwords for accounts - default?
>
> Hi Jennifer,
> When you load your student records, you can certainly load in anything you want into the password field. It is usually helpful to load in something that is unique to the student like their birth date or university ID. You could load in the same password for everyone, but that would lead to students knowing how to access other students accounts.
>
> If you register patrons by hand, then you can change the random password to something else. It's a few extra keystrokes, but will get you by until records are loaded for you.
>
> When we migrated our data, we loaded the same password into each record.
> It was a random string of 25 characters and we never told anyone what the password was. As long as the patron has a valid email address in their Evergreen record, then they can reset their password from the login screen. People who did not have an email address just had to ask the circulation staff to reset the password for them.
>
> For public libraries who don't load patron records, we had business cards printed up with 4-digit numbers on them. When registering a patron, libraries input the number on the next card and hand the card to the patron. That way they don't have to say out loud what the password is. The patron can then go change it to something else.
>
> --
> Martha Driscoll
> Systems Manager
> North of Boston Library Exchange
> Danvers, Massachusetts
> www.noblenet.org
>
> On 2/4/2015 4:00 PM, Walz, Jennifer wrote:
>> Kathy,
>>
>> That is what I believe is happening now when you register a new user.
>> But that is a random number. But the instructions on the web page
>> say use your phone number. That is incorrect. And what I really want
>> to know, is instead of generating a random number for each newly
>> registered user, is there a way to auto populate the field with the SAME
>> standard generic password. That way, when we personally register a new
>> student, we can tell them "this is your generic password" so they can
>> then go on the system to change it themselves. We would of course NOT
>> post those instructions on the web site or opac. We also hope to be
>> auto-loading our student records sometime soon. So in that process,
>> can we fill in the SAME starter password for each new user record when the
>> system uploads all of their other data? Does the system automatically
>> generate a random password whenever a new record is created? Can we
>> have it copy their barcode over to that field?
>>
>> Thanks!
>>
>> Jennifer
>>
>> --------------------------------------------------
>> Jennifer Walz, MLS - ILS Mysterium
>> Kinlaw Library - *Asbury University*
>> One Macklem Drive, Wilmore, KY 40390
>> 859-858-3511 ext. 2269
>> jlwalz at asbury.edu
>>
>> *From:*Open-ils-general
>> [mailto:open-ils-general-bounces at list.georgialibraries.org] *On Behalf
>> Of *Kathy Lussier
>> *Sent:* Tuesday, February 03, 2015 5:14 PM
>> *To:* open-ils-general at list.georgialibraries.org
>> *Subject:* Re: [OPEN-ILS-GENERAL] user passwords for accounts - default?
>>
>> Hi Jennifer,
>>
>> Another possible approach is to use a randomly-generated password when
>> creating the account and then instructing users to use the "Create or
>> reset your password" link on the "My Account" page to reset their
>> password on the first login. The advantage to this method is users can
>> then create their own passwords, which is a bit more secure than using
>> a phone number or another number that might be easily obtained.
>>
>> Kathy
>>
>> On 02/03/2015 11:17 AM, Walz, Jennifer wrote:
>>
>> All -
>>
>> Ok. I do appreciate that Evergreen has built in security
>> measures. They are very good. However, I am unclear about how we
>> can change some of those settings to better match our needs.
>>
>> It appears to me that the default for user accounts passwords is
>> the last 4 digits of the patron phone number. But we don't enter a
>> phone number most of the time. We use email as the required field
>> instead. Phone number is not required on the patron registration
>> form. So, then how do patrons know what their password is in order
>> to access their account through the opac interface? Is there a
>> way that we can set a default generic password to be populated into
>> the patron registration form? We had that on our previous system
>> and we could then tell all students to use that and then change
>> their password after they got into their account. How do we make
>> this work in Evergreen? How do students get into their account if
>> they don't know what the password is?
>>
>> Secondary issue: And I am assuming that somewhere in the templates
>> we can change the language of the prompt for the opac webpage?
>> Right now it tells patrons to use the last 4 digits of their
>> phone number - which is wrong information. Can someone tell me where
>> that text is so I can change it?
>>
>> Thanks!
>>
>> Jennifer
>>
>> --------------------------------------------------
>> Jennifer Walz, MLS - Head of ILS madness
>> Kinlaw Library - *Asbury University*
>> One Macklem Drive, Wilmore, KY 40390
>> 859-858-3511 ext. 2269
>> jlwalz at asbury.edu <mailto:jlwalz at asbury.edu>
>>
>>
>>
>> --
>>
>> Kathy Lussier
>>
>> Project Coordinator
>>
>> Massachusetts Library Network Cooperative
>>
>> (508) 343-0128
>>
>> klussier at masslnc.org <mailto:klussier at masslnc.org>
>>
>> Twitter:http://www.twitter.com/kmlussier
>>
--
Kathy Lussier
Project Coordinator
Massachusetts Library Network Cooperative
(508) 343-0128
klussier at masslnc.org
Twitter: http://www.twitter.com/kmlussier
More information about the Open-ils-general
mailing list