Re: Password change *recommended* -- RESULTS?

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

Sure, although our experience is that this almost never happens.  I think it's pretty clear that changing passwords is 
nobody's idea of a good time.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Cunningham
Sent: Wednesday, April 16, 2014 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

Except when the users who want to keep them in sync go to all those other sites and change their password.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A 
Safian
Sent: Wednesday, April 16, 2014 10:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

It's not unusual for users to create accounts on other sites using their Northwestern address as the user name and 
their Northwestern password.  By having the Northwestern password age we have an opportunity to no longer sync these 
accounts.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
McClenon, Brady
Sent: Wednesday, April 16, 2014 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

Except in the case of an incident were passwords may have be leaked or otherwise compromised, in which case it seems it 
would be a required change and just not recommended, I'm curious to the thoughts of those here on why you would enforce 
periodic password changes on users.  It is an extremely weak protection against brute force attacks and better controls 
against brute force attacks exist.  Brute force mitigation is the reasoning I'm usually given or read about.

The other reason is some convoluted idea about shared passwords and forgetting or knowing who they were shared with.  
Seems like a terrible practice to begin with that needs to end.  Periodic password changes, in this case, seems to 
offer some protection, albeit insufficient, but its usefulness may be trumped by the numerous emails I've seen myself 
or been told about that are used to disseminate the new password for the generic account.

I'm not against forced periodic password changes, and was once a proponent of them, but it is a bone contention with 
users and as I revaluate my position the cons seem to outweigh the pros. So I'm interested in hearing any pros that 
perhaps I'm not thinking of.


Brady McClenon
Senior Server Administrator
Information Technology Services
SUNY College at Oneonta
607-436-3203

"Quotes found on the internet are not always accurate."  - Abraham Lincoln






From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Wednesday, April 16, 2014 9:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

We made a change in our security polices and have told the campus they must change their password. After 2 weeks of 
communications in every form imaginable (even including door hangers in residential halls), roughly 50%-60% of faculty 
and staff have changed their password and roughly 20% of students have. We've decided to give a deadline; if the 
password hasn't been changed by that date, the "must change at next logon" gets set (this hasn't been communicated yet, 
so the slackers aren't relying on it).

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Pedersen, Krystal
Sent: Wednesday, April 16, 2014 7:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password change *recommended* -- RESULTS?

Hello Everyone - I was looking to get an idea as to how successful a recommended password change broadcast is (to the 
entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password 
change, with instructions on how to change your password, less than 1% of passwords were actually changed?

Thanks!

Krystal Pedersen, CISA
Information 
Technology<https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=m3a7zui%2BIivnv6HgoEbi9Ak%2BfxH6by%2FnMADg6n%2Broa0%3D%0A&m=K7wzn8gmI8hNuXL9jHk1orJ3Lccq6ysyuzyzelAo5gA%3D%0A&s=94541cacf7ba0f0e6fae5d79ad9862f8189dddccdf4306fe5229bb1499f97753>
Information Security, Risk & Compliance Analyst
krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>