Educause Security Discussion mailing list archives
Re: Password Management for Students
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Mon, 13 Oct 2008 08:32:08 -0400
I was hoping someone could lend me some assistance. We are trying to make some changes to our password policy for our students and we were hoping to find out what other institutions are doing. So here are our questions. How did you decide on the policy?
We do not enforce any password restrictions on students. Our password policy varies depending on the type of data an individual has access to. If a student were also a member of staff and had access to an application that stored or processed sensitive data, then certain password restrictions would be imposed (e.g. 90 day password changes, password strength enforcement, etc.). We felt this was a good balance given the inconvenience to users and the lack of convincing evidence on either side of the argument that changing passwords provides value. It also gets at what we're really trying to protect.
How are the students resetting the password once it expires?
Anyone on campus who wishes to reset their password can do so via the Help Center or through our portal. The portal is leveraging functionality built into our identity management solution.
Are you notifying your students when their password is expiring via an email and is this process automated?
There is an automated email that goes out to a user when his or her password is about to expire. We also leverage click through warning messages when a user authenticates to certain systems. Hope this is helpful! Regards, Doug Markiewicz Information Security Office Carnegie Mellon University
Current thread:
- Password Management for Students Joey Rego (Oct 10)
- <Possible follow-ups>
- Re: Password Management for Students Doug Markiewicz (Oct 13)
- Re: Password Management for Students Kenneth Arnold (Oct 13)