Educause Security Discussion mailing list archives

Re: For IP; Re: good read: Please do not change your password

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Sun, 18 Apr 2010 12:00:51 +1200

On 17/04/2010, at 3:55 AM, Gene Spafford wrote:

I posted this back in 2006.   It is germane to this discussion:
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/


I first read this back when Spaf originally posted it and I have been using it to argue with auditors since :).

Or policy is to require users to change passwords yearly and we are about to start enforcing that (as we now have the 
means).  This is useful, one it mollifies auditors (they still aren't happy but less strident ;), two it is not too 
onerous on users and three (most important from my point of view it gives us a yearly touch point with users.

Once we are through the initial rush of changes (50K users...) I am going to link things like policy changes to the 
password change form.  When a user changes their password they will be advised about changes in IT/Security polices 
since their last change and other relevant security information.  This password change becomes part of the general 
security consciousness raising process.


Russell

Current thread:

For IP; Re: good read: Please do not change your password Gene Spafford (Apr 16)
- <Possible follow-ups>
- Re: For IP; Re: good read: Please do not change your password Stephen John Smoogen (Apr 16)
- Re: For IP; Re: good read: Please do not change your password Russell Fulton (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Don Cochran (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Gene Spafford (Apr 21)
- Re: For IP; Re: good read: Please do not change your password Vik Solem (Apr 23)