Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
Date: Wed, 16 Apr 2014 14:23:01 +0000
Except in the case of an incident were passwords may have be leaked or otherwise compromised, in which case it seems it would be a required change and just not recommended, I'm curious to the thoughts of those here on why you would enforce periodic password changes on users. It is an extremely weak protection against brute force attacks and better controls against brute force attacks exist. Brute force mitigation is the reasoning I'm usually given or read about. The other reason is some convoluted idea about shared passwords and forgetting or knowing who they were shared with. Seems like a terrible practice to begin with that needs to end. Periodic password changes, in this case, seems to offer some protection, albeit insufficient, but its usefulness may be trumped by the numerous emails I've seen myself or been told about that are used to disseminate the new password for the generic account. I'm not against forced periodic password changes, and was once a proponent of them, but it is a bone contention with users and as I revaluate my position the cons seem to outweigh the pros. So I'm interested in hearing any pros that perhaps I'm not thinking of. Brady McClenon Senior Server Administrator Information Technology Services SUNY College at Oneonta 607-436-3203 "Quotes found on the internet are not always accurate." - Abraham Lincoln From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Wednesday, April 16, 2014 9:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? We made a change in our security polices and have told the campus they must change their password. After 2 weeks of communications in every form imaginable (even including door hangers in residential halls), roughly 50%-60% of faculty and staff have changed their password and roughly 20% of students have. We've decided to give a deadline; if the password hasn't been changed by that date, the "must change at next logon" gets set (this hasn't been communicated yet, so the slackers aren't relying on it). Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pedersen, Krystal Sent: Wednesday, April 16, 2014 7:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password change *recommended* -- RESULTS? Hello Everyone - I was looking to get an idea as to how successful a recommended password change broadcast is (to the entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password change, with instructions on how to change your password, less than 1% of passwords were actually changed? Thanks! Krystal Pedersen, CISA Information Technology<http://inside.umassmed.edu/is/index.aspx> Information Security, Risk & Compliance Analyst krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>
Current thread:
- Password change *recommended* -- RESULTS? Pedersen, Krystal (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Pete Hickey (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 16)
- Re: Password change *recommended* -- RESULTS? Thomas Carter (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Will Froning (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)