Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: Jack Reardon <jack.reardon () WORCESTER EDU>
Date: Fri, 24 Sep 2010 13:58:03 -0400
At our university our students have single signon to their email/LMS/money on their onecard. We view security to these accounts comparable to security to an employee account. It may seem severe, but we are shooting for protection. We are also educating students for security in the professional world and for their important personal accounts. Jack Reardon Associate Director, Infrastructure Services Worcester State University On Fri, Sep 24, 2010 at 1:51 PM, John Ladwig <John.Ladwig () csu mnscu edu>wrote:
Such tailoring gets complicated, though. "It's just a student account" design considerations could get awfully stale awfully quickly if some enterprising business and IT project turns a big paper process with hand-keying of financial accounts for students into an internet-facing "self-service" student web application. There is still the matter of degree and volume of sensitive-data access, but the slope can get pretty slippy. This is why we need good links between infosec, business analysts, and identity leads and architects. Internal LOA maintenance and consumption use cases have been coming to me far faster and with more significance than I'd have expected a few years ago when it was introduced to me in the context of external federation scenarios. -jml"Koski, David" <dkoski () UMICH EDU> 2010-09-24 10:24 >>>Agreed. This all goes back to the basics of understanding you're users, access controls, and proper data classification. You can definitely make one size fit all with a lot of screaming and heartache, but if you properly understand your users, access levels and data, then you should properly quantify the risk involved. In my opinion, security should be tailored to have the least impact on the user but properly fits the risk. In most cases, this isn't a one size fits all particularly in large organizations with many roles. Sure, there should be a minimum standard to keep users from choosing horrible horrible passwords (We all know they do anyways), but a student doesn't necessarily need to have the same password change requirements as someone working with financial information. Otherwise you tend to cost the organization more money in the end than the risk your were trying to mitigate to begin with. David -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz Sent: Friday, September 24, 2010 11:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy I concur. What is missing from most of these types of threads is what information we are trying to protect and why. It is not a one size fits all solution. Everyone here is pushing for the MAXIMUM policy to apply for all, which may not be the best solution. In my experience, Auditors are mostly focused on potential Financial abuse. That does not mean that all password policies must be the same. For example, an Adult student who takes a course every other year, do they really need to change their passwords every 90 days? If you enable such a policy, your helpdesk will be swamped with calls to reset accounts unused for months to years, with little security gain IMO. Is that little added security worth the frustration to your students and the increased helpdesk costs? For Administrative Staff and Faculty accessing administrative systems, a 90 day password change policy is proper. These are the people who could potentially view, and/or alter records to transfer money for personal gain, or lookup user sensitive information for abuse. In other words, I believe password policies should be examined and determined by the type of user who can access sensitive information rather than a globally defined policy. I am sure others will disagree... On 9/24/10 10:31 AM, Roger Safian wrote:I'd suggest that password aging should be based on the risk that somebody could obtain, and crack, the password hashes. It's not a black and white issue, regardless of what the Auditors, Spaf, or I sayaboutit. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Friday, September 24, 2010 7:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-)There's "what everybody is doing because auditors insist" and "whatactuallymakes sense in today's computing environment". Make sure to read whatGeneSpafford wrote about it: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/ (Anybody want to publicly admit they were able to sell the auditors onwhatSpaf said, and managed to eliminate mandatory changes?)
Current thread:
- Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 24)
- Re: Current Best Practice regarding Password Change policy Greg Washburn (Sep 24)
- Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
- Re: Current Best Practice regarding Password Change policy Scott O. Bradner (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dave Koontz (Sep 24)
- Re: Current Best Practice regarding Password Change policy Koski, David (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)