Re: Password Management for Students

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

> I was hoping someone could lend me some assistance.  We are trying to
> make some changes to our password policy for our students and we were
> hoping to find out what other institutions are doing.  So here are our
> questions.
>
> How did you decide on the policy?

We do not enforce any password restrictions on students.  Our password policy varies depending on the type of data an 
individual has access to.  If a student were also a member of staff and had access to an application that stored or 
processed sensitive data, then certain password restrictions would be imposed (e.g. 90 day password changes, password 
strength enforcement, etc.).  We felt this was a good balance given the inconvenience to users and the lack of convincing 
evidence on either side of the argument that changing passwords provides value.  It also gets at what we're really 
trying to protect.


> How are the students resetting the password once it expires?

Anyone on campus who wishes to reset their password can do so via the Help Center or through our portal.  The portal is 
leveraging functionality built into our identity management solution.


> Are you notifying your students when their password is
> expiring via an email and is this process automated?

There is an automated email that goes out to a user when his or her password is about to expire.  We also leverage 
click through warning messages when a user authenticates to certain systems.


Hope this is helpful!

Regards,

Doug Markiewicz
Information Security Office
Carnegie Mellon University