Educause Security Discussion mailing list archives
Re: Password aging
From: Jim Moore <jhmfa () RIT EDU>
Date: Tue, 13 Jan 2004 11:09:19 -0500
We had the unfortunate experience of having a password exposure for a small number of passwords, however, we could not tell which ones. So we had to send an announcement, asking users to change their passwords. And to make matters worse, it was just before Christmas break. So what we added on was adapted from "Hard to Guess, doesn't necessarily mean Hard to Remember." Be Sure to Select a Password that is · More than eight characters in length (longer is better). · Varied characters (alphabetical or numeric characters without punctuation or duplication). **Here is where we are bit by legacy systems - we will add in puncutation characters as soon as we can ** · Mixed (upper and lower) case characters. · Not found in any dictionary (English or foreign language). · Unrelated to personal information someone could discover about you, such as your name or the name of a family member, or your address, phone number, login name, social security number, brand of automobile, or favorite pastime. Three Easy Ways to Select a Secure Password · Choose a favorite quotation, book title, song, or poem, and use the first letter of each word, mixed with digits you can remember. For example, the quotation ³Imagination is more important than knowledge² - Albert Einstein mixed with multiples of 2, might become ³iimitk2468AE,'' or ³24IimitkAE68.² · Alternate between a random consonant and vowel to produce a nonsense word that can often be pronounced. For example, ³hikupwaso.² Now mix the case of the letters and add a few digits. For example, ³hikup79WASO² or ³HIKUPwaso79.² · Choose two or more shorter words and concatenate them together with number(s) between them. For example: ³booK451BradburY.² or 4booK5bradburY1" Go ahead and Write it down Effective passwords may initially be harder to remember, especially over a holiday break. Go ahead and write it down and store it with your money or your credit cards and other ³valuables.² Just don¹t put your new password on a post-it or calendar near your computer while you¹re away. Starting in 2004, everyone will be required to change their password about once per quarter (every 120 days). ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Monday, Kathy (Jan 08)
- Re: Password aging Dan Updegrove (Jan 09)
- Re: Password aging Kevin Shalla (Jan 09)
- Re: Password aging Jere Retzer (Jan 09)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
(Thread continues...)