The concern that's usually raised is that the temporary password should be randomly and procedurally generated rather than be static.
CU*Answers believes the risk of security breach due to a static password is quite low due to the compensating controls we have around CU*BASE Security, including:
- A requirement that a person must have access to the network and to a PC with the CU*BASE software installed.
- The person would have to know the user ID.
- The person would also need to have the separate two-digit Employee ID and password in order to have access to any software.
- Credit employees are required to change the temporary password upon initial login.
- In addition, risk is mitigated by the credit union using available controls to define which tools and other information can be accessed, via the aforementioned employee ID.
- All activity on the system is tracked and can be reviewed and audited by the credit union.