Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: "King, Ronald A." <raking () NSU EDU>
Date: Fri, 10 Apr 2009 14:13:59 -0400
The same except sensitive systems are changed every 30 and non-sensitive (Active Directory) 90 days. The 30 days and complexity are part of VA state standards. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Giannetto Sent: Thursday, April 09, 2009 12:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Complexity and Aging We are looking to implement a new password policy, and are currently trying to get our committee of end-users to buy into the change. The two sticking points are password complexity and password aging. They seem to understand the importance, but want to make sure that we're not asking too much from our end-users. They're looking for more assurance that what we're asking is necessary, and that we're not going overboard compared to most other colleges. Our policy states that: -Minimum 8 Characters -At least 1 Uppercase -At least 1 Lowercase -At least 1 Number -At least 1 Special -Change every 120 days Would anyone be willing to share their password complexity and aging requirements? Are we asking too much/not enough? Does anyone have any quality tips or resources that would help substantiate why passwords must be this strong? Are there any compliance drivers worth mentioning? Has there been a recent study that surveys password complexity/aging in education? Does anyone have other advice on how to get faculty, staff, and students to buy-in to this change? I'm sure many of you have had the pleasure of implementing strong password policies. Any advice you have would be greatly appreciated. Thanks, Matthew Y. Giannetto Manager of IT Security Montgomery County Community College mgiannet () mc3 edu 215.619.7442 Home of the 2006, 2004 and 2002 CASE and Carnegie Foundation for the Advancement of Teaching's Pennsylvania Professors of the Year. This e-mail message and any files transmitted with it are intended for the use of the individual(s) or entity to which they are addressed and may contain information that is privileged, proprietary or confidential. If you are not an intended recipient, you may not use, distribute or duplicate any information contained within this message. If you have received this communication in error, please immediately destroy all occurrences of this message and notify the sender. Thank you. Montgomery County Community College 340 DeKalb Pike, Blue Bell, PA, USA, 19422 101 College Drive, Pottstown, PA, USA, 19464 www.mc3.edu
Attachment:
smime.p7s
Description:
Current thread:
- Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
(Thread continues...)