Communicating Passwords Securely to Sponsored People

How to communicate a UMICH (Level-1) password that you have set or reset in the MCommunity Sponsor System to a sponsored person or requester securely to ensure that only the intended recipient has access to the password.  These instructions may also be of use for communicating other passwords securely when necessary.

Contents

Giving a Password to an Individual

When you sponsor an individual or reset their password in the MCommunity Sponsor System, in some cases you will see the assigned password on your computer screen. To give the password to the sponsored person securely, use one of these options:

  • Tell it to them in person. Do it verbally or hand them a piece of paper with the password on it. Do not write it down anywhere else.
  • Tell it to them verbally over the phone. Be sure you are speaking to the right person. Do not leave the password in voicemail that someone other than the sponsored person might be able to access.
  • Send via Dropbox Paper. You can find links to documentation for using Dropbox Paper at Common Dropbox Tasks. Note that passwords may not be permanently stored in Dropbox. When using Dropbox Paper to share passwords:
    • Share with a single email address with view-only permission.
    • Avoid sending the password and uniqname/login ID together where possible.
    • Delete the shared file within five days.
    • Advise the recipient to change their password on first use.
  • Use encrypted email (U-M Gmail plus Virtru). If you need to send a password to someone from your U-M email (Gmail at U-M), use Virtru to encrypt the email. You must:
    • Disable forwarding.
    • Avoid sending the password and login ID together where possible.
    • Set the email to expire within five days.
    • Advise the recipient to change their password on first use.

After communicating a password: Remind the person that the initial or reset password is intended to be temporary and that they should visit UMICH Account Management as soon as possible to change their UMICH (Level-1) password to something that only they know.

Helping Individuals Enroll in Duo

When you provide a newly sponsored person with their UMICH password, you can also direct them to these webpages for information about setting up and using Duo two-factor:

If you are working with a sponsored person in-person, consider giving them a printed copy of this one-page reference chart: Duo Options at-a-Glance.

Please help your sponsored affiliates enroll in Duo if you can. If they have questions you cannot answer, you can direct them to the ITS Service Center.

Giving Passwords to Multiple People

If you sponsor multiple people at once by uploading a file, such as a group of conference participants, you will see a list of uniqnames and passwords on your computer screen at the end of the sponsorship creation process. You may need to give this list to a requester, such as a conference organizer or some other person at the university who will convey the passwords to the sponsored individuals. Provide the list of passwords using a paper copy of the list, secure approved electronic storage, or U-M Google email with Virtru.

Using a Paper List of Passwords

  • Hand the paper copy of the list to the person who will distribute the uniqnames and passwords to the sponsored individuals (most likely the requester).
  • Ask them to communicate the passwords securely, doing so in person or using Virtru to encrypt email sent with Gmail at U-M.
  • Do not leave the paper list on a printer or elsewhere where anyone else could see it. Delete the file from your computer as soon as you no longer need it.
  • Once the passwords have been distributed, shred any copies of the paper list.

Using Encrypted Email (Gmail at U-M Plus Virtru)

You can send a list of uniqnames and passwords to the requester or other person who will distribute them using your U-M Gmail email account if you use Virtru to encrypt the email. When using Virtru for encrypting email with passwords, you must:

  • Disable forwarding.
  • Set the email to expire within five days.
  • Advise the recipients to change their passwords on first use.

Using Dropbox Paper

You can securely share a list of passwords using Dropbox Paper. For documentation, see Common Dropbox Tasks. Passwords may not be permanently stored in Dropbox.

When using Dropbox Paper to share a list of passwords:

  • Share with a single email address with view-only permission.
  • Delete the shared file within five days.
  • Advise the recipients to change their passwords on first use.

Reminder When Sharing Passwords

Direct sponsored people to UMICH Account Management to change their UMICH password as soon as possible after they receive it. Passwords from the Sponsor System are intended to be temporary.

Last Updated: 
Wednesday, May 12, 2021