Educause Security Discussion mailing list archives
Re: Password aging
From: Jim Moore <jhmfa () RIT EDU>
Date: Wed, 14 Jan 2004 09:46:46 -0500
Yes, I would have notified people that they needed to change their passwords, password aging or not. What I was forwarding to the list was how we address the cultural issue of resistance to change, especially since we are implementing password aging controls along with password reuse controls, and password strength controls. Most of the objections center around "Now we will never be able to remember our passwords!" Jim -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Worona Sent: Tuesday, January 13, 2004 11:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password aging Jim -- I'm sure I'm missing something obvious, but how would your response to the password exposure (for which condolences are certainly in order) have been different if password aging had already been in place? Wouldn't you still have had to notify everyone and tell them to change their passwords? Best wishes. Steve ----- At 11:09 AM -0500 1/13/04, Jim Moore wrote:
We had the unfortunate experience of having a password exposure for a small number of passwords, however, we could not tell which ones. So we had to send an announcement, asking users to change their passwords. And to make matters worse, it was just before Christmas break. So what we added on was adapted from "Hard to Guess, doesn't necessarily mean Hard to Remember." Be Sure to Select a Password that is * More than eight characters in length (longer is better). * Varied characters (alphabetical or numeric characters - without punctuation or duplication). **Here is where we are bit by legacy
systems - we will add in puncutation characters as soon as we can **
* Mixed (upper and lower) case characters. * Not found in any dictionary (English or foreign language). * Unrelated to personal information someone could discover about
you,
such as your name or the name of a family member, or your address, phone number, login name, social security number, brand of automobile, or favorite pastime. Three Easy Ways to Select a Secure Password * Choose a favorite quotation, book title, song, or poem, and use
the
first letter of each word, mixed with digits you can remember. For
example, the quotation "Imagination is more important than knowledge" - Albert Einstein mixed with multiples of 2, might become "iimitk2468AE,'' or "24IimitkAE68."
* Alternate between a random consonant and vowel to produce a
nonsense
word that can often be pronounced. For example, "hikupwaso." Now mix
the case of the letters and add a few digits. For example, "hikup79WASO" or "HIKUPwaso79."
* Choose two or more shorter words and concatenate them together
with number(s)
between them. For example: "booK451BradburY." or 4booK5bradburY1" Go ahead and Write it down Effective passwords may initially be harder to remember, especially over a holiday break. Go ahead and write it down and store it with your
money or your credit cards and other "valuables." Just don't put your new password on a post-it or calendar near your computer while you're away. Starting in 2004, everyone will be required to change their password about once per quarter (every 120 days). ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Monday, Kathy (Jan 08)
- Re: Password aging Dan Updegrove (Jan 09)
- Re: Password aging Kevin Shalla (Jan 09)
- Re: Password aging Jere Retzer (Jan 09)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
(Thread continues...)