Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Current Best Practice regarding Password Change policy

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 24 Sep 2010 08:52:43 -0400
On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:


We currently require all, Students, Faculty and Staff, to change passwords
every 90 days and we are enforcing unique passwords (no repeats). This is
a relatively new requirement here and we are getting a lot of push back on
the change.  I'd like to get a feel for what people accept as current best
practice for password change intervals and other related policies, and
also, if it is different than the best practice what people are actually
doing (if you wish to share that :-)


There's "what everybody is doing because auditors insist" and "what actually
makes sense in today's computing environment".  Make sure to read what Gene
Spafford wrote about it:

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

(Anybody want to publicly admit they were able to sell the auditors
on what Spaf said, and managed to eliminate mandatory changes?)
Previous By Date Next
Previous By Thread Next

Current thread: