Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: Dave Koontz <dkoontz () MBC EDU>
Date: Fri, 24 Sep 2010 11:09:17 -0400
I concur. What is missing from most of these types of threads is what information we are trying to protect and why. It is not a one size fits all solution. Everyone here is pushing for the MAXIMUM policy to apply for all, which may not be the best solution. In my experience, Auditors are mostly focused on potential Financial abuse. That does not mean that all password policies must be the same. For example, an Adult student who takes a course every other year, do they really need to change their passwords every 90 days? If you enable such a policy, your helpdesk will be swamped with calls to reset accounts unused for months to years, with little security gain IMO. Is that little added security worth the frustration to your students and the increased helpdesk costs? For Administrative Staff and Faculty accessing administrative systems, a 90 day password change policy is proper. These are the people who could potentially view, and/or alter records to transfer money for personal gain, or lookup user sensitive information for abuse. In other words, I believe password policies should be examined and determined by the type of user who can access sensitive information rather than a globally defined policy. I am sure others will disagree... On 9/24/10 10:31 AM, Roger Safian wrote:
I'd suggest that password aging should be based on the risk that somebody could obtain, and crack, the password hashes. It's not a black and white issue, regardless of what the Auditors, Spaf, or I say about it. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Friday, September 24, 2010 7:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-)There's "what everybody is doing because auditors insist" and "what actually makes sense in today's computing environment". Make sure to read what Gene Spafford wrote about it: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/ (Anybody want to publicly admit they were able to sell the auditors on what Spaf said, and managed to eliminate mandatory changes?)
Current thread:
- Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 24)
- Re: Current Best Practice regarding Password Change policy Greg Washburn (Sep 24)
- Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
- Re: Current Best Practice regarding Password Change policy Scott O. Bradner (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dave Koontz (Sep 24)
- Re: Current Best Practice regarding Password Change policy Koski, David (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)