Re: Password Expatriation notification

[Eric Case <eric () ERICCASE COM>]

True, as things change you will need to change your systems.  If you have a
bunch of one-off systems, each with their own auth subsystem you will want
to look at an IAM system so you do not have so many things to updates the
next time things change.

The status quo is seldom a friend of security.
-Eric



Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
(520) 344-CISO (2476)



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP,
> MICHAEL
> Sent: Thursday, August 19, 2010 7:22 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Expatriation notification
>
> Besides the implications for "service" that long passwords can cause -
there
> are also a myriad of systems out there that simply will not accept (or at
least
> not without a lot of code changes) long passwords!!  Think about your
> default password generation - if it's currently based on a default that
the
> student would know - that whole process has to be revamped.  If you do SSO
> and pass credentials - all of those systems will have to comply, too.....
>
> And when the students (or employees!!) can get in to one system - they
> won't be able to get in to any of them.....
>
> Sorry - I'm just not a fan of long passwords at this point.....
>
> M
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05
> Sent: Thursday, August 19, 2010 8:15 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Expatriation notification
>
> I am seriously looking at passphrases, but I would still have them expire
if for
> no other reason that some users like to share their passwords with other
> people.  Right I am trying to work with the sys admins to give users the
ability
> to choose either strong complex 8 character password or a long passphrase
> that is less crazy.  I would be interested if others have found
passphrases
> more acceptable than complex passwords. I think they would be more
> accepted.
>
> James Farr
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe
> Sent: Thursday, August 19, 2010 10:06 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Expatriation notification
>
> Wouldn't it be easier to just require 15 or 20 character passphrases and
never
> have them expire? (Two factor would be nice but not financially sound for
> the whole campus right now.) It would seem that it might not be too hard
of
> a sell with the -- Never have to change it again.. angle. And passphrases
are
> easier to type than the random crazy passwords..
>
> Mark
>
> On 8/19/2010 8:56 AM, Ullman, Catherine wrote:
> > James,
> >
> > I would whole-heartedly agree to your statement about providing emails
> from
> > IT WITHOUT links, but rather reference a known web site by name.  I
> > think
> it
> > makes education and reinforcement of not clicking on links much easier
> when
> > IT never sends out links either.  :-)
> >
> > I expressed this sentiment just before a recent round of emails were
> > sent regarding password changes only to be informed that it would be
> > "too difficult" for the users to do and thus they wouldn't bother to
> > change
> their
> > passwords.  While I understand that the password change is critical, I
> think
> > sending links is today a greater risk because it encourages bad
> > behavior
> on
> > the part of the user.
> >
> > I will be interested to see what others out there have to say.
> >
> > Best,
> > Cathy
> >
> >
> > Catherine J. Ullman
> > Information Security Analyst
> > Information Security Office
> > University at Buffalo
> > cende () buffalo edu
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James
> > Sent: Thursday, August 19, 2010 9:23 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Password Expatriation notification
> >
> > We also send our users messages like this. However I'm concerned that
> > it would take very little effort to copy the content, spoof the from
> > address and href the links so they look genuine but take them to a
> > random web
> server
> > which is setup with a copy of our real password management system.
> >
> > For this reason I think we shouldn't provide links in emails that ask
> > a
> user
> > to login to anything, but should advise they visit our main web page
(i.e.
> > type it in themselves) and we give them a link off that. We can then
> > also tag on to "we never ask for your password" that "we never link to
> > pages
> that
> > ask for your password".
> >
> > Has anyone else tackled this particularly?
> >
> > Cheers
> > James
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
> > > Sent: Tuesday, August 17, 2010 10:11 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Password Expatriation notification
> > >
> > > And we also send out an email notice 14 days before expiration, and
> > > again more frequently as the expiration approaches.  We have a single
> > > enterprise credential for authentication to many systems, including
> > > email.    We try to make our notification not-phish-like but still get
a
> > > few inquiries as to the validity of the message.  I usually
> > > congratulate those paranoid souls.  At least it's better than
> > > believing
> > everything.
> >
> > > ;-)
> > >
> > > Our message says:
> > >
> > > Firstname Lastname [UniversityID#],
> > >
> > > Our system indicates that you have not changed your password since
> > > [Month day, year].
> > >
> > > Please take a few minutes to change your password and review your
> > > challenge questions by going to http://password.usu.edu before [date
> > > 6 months later].
> > >
> > > If you do not change your password by [the latter date], you may
> > > experience interruption of service on Utah State University systems.
> > > You will still be able to log in at http://id.usu.edu and make your
> > > password change after that date.
> > >
> > > You may also be temporarily receiving this message:
> > >
> > > 1) If you no longer attend Utah State University: You may not be
> > > interested in maintaining your password with us. Just ignore these
> > > messages. Once your password has expired these reminder messages will
> > > terminate. If you ever need access again you can update your password
> > > at http://id.usu.edu or contact the Service Desk.
> > >
> > > 2) If you have never attended Utah State University: We may have
> > > assigned you an account in conjunction with a high school concurrent
> > > enrollment course, or even as a result of receiving your SAT/ACT
> > > scores
> > >
> > > from high school. Once your password has expired these reminder
> >
> > > messages will terminate.
> > >
> > > The Information Technology Service Desk can assist you with any
> > > questions you might have.
> > >
> > > Contact us at:
> > > Phone: 797-HELP (4357)
> > > Toll Free: 877-878-8325
> > > Email: servicedesk () usu edu<mailto:servicedesk () usu edu>
> > > Footprints.usu.edu<http://Footprints.usu.edu>  (Issue Tracking
> > > System) [end of message] ____________________________
> > > Bob Bayn        (435)797-2396      Security Team coordinator
> > >              http://tinyurl.com/I-Need-a-Kidney
> > > Office of Information Technology   at  Utah State University
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

Attachment: smime.p7s
Description: