Re: Password aging

[Jim Moore <jhmfa () RIT EDU>]

Yes, I would have notified people that they needed to change their
passwords, password aging or not.  What I was forwarding to the list was
how we address the cultural issue of resistance to change, especially
since we are implementing password aging controls along with password
reuse controls, and password strength controls.  Most of the objections
center around "Now we will never be able to remember our passwords!"

Jim

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Worona
Sent: Tuesday, January 13, 2004 11:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password aging


Jim -- I'm sure I'm missing something obvious, but how would your
response to the password exposure (for which condolences are certainly
in order) have been different if password aging had already been in
place?  Wouldn't you still have had to notify everyone and tell them to
change their passwords?

Best wishes.

Steve
-----
At 11:09 AM -0500 1/13/04, Jim Moore wrote:
> We had the unfortunate experience of having a password exposure for a 
> small number of passwords, however, we could not tell which ones.
>
> So we had to send an announcement, asking users to change their 
> passwords.  And to make matters worse, it was just before Christmas 
> break.
>
> So what we added on was adapted from "Hard to Guess, doesn't 
> necessarily mean Hard to Remember."
>
> Be Sure to Select a Password that is
> *      More than eight characters in length (longer is better).
> *      Varied characters (alphabetical or numeric characters - without
> punctuation or duplication).  **Here is where we are bit by legacy
systems - we will add in puncutation characters as soon as we can **
> *      Mixed (upper and lower) case characters.
> *      Not found in any dictionary (English or foreign language).
> *      Unrelated to personal information someone could discover about
you,
> such as your name or the name of a family member, or your address, 
> phone number, login name, social security number, brand of automobile, 
> or favorite pastime.
>
> Three Easy Ways to Select a Secure Password
> *      Choose a favorite quotation, book title, song, or poem, and use
the
> first letter of each word, mixed with digits you can remember. For
example, the quotation "Imagination is more important than knowledge" -
Albert Einstein mixed with multiples of 2, might become "iimitk2468AE,''
or "24IimitkAE68."
> *      Alternate between a random consonant and vowel to produce a
nonsense
> word that can often be pronounced. For example, "hikupwaso." Now mix
the case of the letters and add a few digits. For example, "hikup79WASO"
or "HIKUPwaso79."
> *      Choose two or more shorter words and concatenate them together
with number(s)
> between them. For example: "booK451BradburY." or 4booK5bradburY1"
>
> Go ahead and Write it down
> Effective passwords may initially be harder to remember, especially 
> over a holiday break. Go ahead and write it down and store it with your

> money or your credit cards and other "valuables."  Just don't put your 
> new password on a post-it or calendar near your computer while you're 
> away. Starting in 2004, everyone will be required to change their 
> password about once per quarter (every 120 days).
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion

> Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.