Educause Security Discussion mailing list archives
Re: Student Passwords
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Wed, 7 Dec 2011 17:00:13 +0000
Our requirements: 8 characters minimum 1 upper case character minimum 1 lower case minimum 1 number minimum 1 special character minimum Expires after 180 days (this was temporarily disabled) Students can use a self-service password reset that requires the answers to five security questions that they choose. In practice, I don't think this helps. We manually do a few thousand password resets every year because students forget their passwords and their security questions (we only have about 10k students). I think our requirements are overly picky; we'd be better off requiring longer passwords with less complexity per character so that we could encourage students to use passphrases. Many of our students only use their accounts a few times a semester and this makes it easy for them to forget their passwords. Also, many of our students have a hard time picking a password that will meet the complexity requirements and this has led to our helpdesk staff giving advice like "Put a name a year and a star, for example: Name1928*" which completely defeats the purpose of requiring complex passwords in the first place. The whole process is currently a big security hole. We have to process so many resets that it would be impossible for us to carefully scrutinize every request for a password reset or to make everyone show up in person with ID. We switched from our previous requirements, which were much more lax, to these with no notice and very little discussion--it went from idea to implementation while I was on vacation last year... It hasn't worked out very well for us. For anyone considering a change, please initiate some local discussion before you do anything. Consider what you're trying to accomplish and how the proposed changes will actually accomplish it. Don't rush into something without considering the impact of the changes and preparing to handle the support/education that comes with it. Best regards, Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s () mccd edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Bennett Sent: Tuesday, December 06, 2011 8:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Student Passwords This has gone around a few times in the past but I am looking for fresh results. What is your stance on student passwords? Do you make them change their password every X number of days? Complexity rules? Etc. Thanks. This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- Re: Student Passwords, (continued)
- Re: Student Passwords Roger A Safian (Dec 07)
- Re: Student Passwords SCHALIP, MICHAEL (Dec 07)
- Re: Student Passwords Roger A Safian (Dec 07)
- Re: Student Passwords Roger A Safian (Dec 07)
- Re: Student Passwords Roger A Safian (Dec 07)
- Re: Student Passwords Brian Helman (Dec 07)
- Re: Student Passwords Daniel Bennett (Dec 07)
- Re: Student Passwords Roger A Safian (Dec 07)
- Re: Student Passwords Greenberg, David A (Dec 07)
- Re: Student Passwords Colleen Keller (Dec 07)
- Re: Student Passwords randy marchany (Dec 07)
- Re: Student Passwords Steven Alexander (Dec 07)
- Re: Student Passwords WILLIAM I ARNOLD (Dec 07)
- Re: Student Passwords Jack Reardon (Dec 07)