I am a low-level system administrator for a new college Learning Management System, or LMS.
(An LMS is the platform used by professors to post their syllabi, lecture notes, assignments, grades, announcements, etc.)
I do not have the authority to create new accounts, nor does anyone at our branch campus.
As new students are admitted into our school, we send account creation requests to the main campus.
The account creation process has a quirk. Let’s say we send a request for ten new accounts, but two of these students have already taken courses at the main campus. We will get back a list of ten accounts that look like they have all been newly-created, each with an assigned password. The eight new accounts will perform as expected; however, the already-existing accounts will have a new password listed, but this password will not work (the system won’t overwrite a password that has already been changed by the user).
Additionally, there is no way for us to check and see if the user already exists at the main campus, because we can see users only after they have been assigned to a course at our campus.
After new accounts are created, we send an email telling the user their login ID and password. We got tired of sending out erroneous information to those who already had accounts, so we began doing a test log-in before sending the information out, partly to seen which passwords worked and which did not, and partly to gauge the percentage of records that had erroneous information (i.e., bad passwords). In other words, we were trying to figure out: Is this just happening every once in a while? Or a lot? (It turns out roughly 20% or 30% of the records we were getting back had incorrect passwords listed.)
I realize there are many potential problems with the current system, and most of those problems are being worked on as we continue to iron things out. I’m not asking for suggested ways to improve the process. (I can think of several, including automating the process such that we no longer manually send emails with login information.)
Instead, I’d like to leverage the expertise of this community to ask: Is doing a test log-in with a newly-created student account some kind of a security faux pas? Would this be a no-no that should never be breached for any reason whatsoever? Or is it okay for a system admin to test a login before sending the information on to the user, particularly when it is known that there is a good chance the information will not be correct?
My staff is a customer-service organization with little-to-no formal training in information security. Also, once logged in successfully, we would immediately log out.
A recent debate has started on campus about whether we have been inadvertently committing a flagrant violation of security policy, or performing a justifiable quality assurance step by a system administrator. For the purposes of this question, we can assume “security policy” refers to industry best practices (not local written policies, which are being consulted even as I formulate this question).