Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 23 Apr 2014 17:50:52 -0500
Sure, although our experience is that this almost never happens. I think it's pretty clear that changing passwords is nobody's idea of a good time. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Cunningham Sent: Wednesday, April 16, 2014 10:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? Except when the users who want to keep them in sync go to all those other sites and change their password. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian Sent: Wednesday, April 16, 2014 10:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? It's not unusual for users to create accounts on other sites using their Northwestern address as the user name and their Northwestern password. By having the Northwestern password age we have an opportunity to no longer sync these accounts. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McClenon, Brady Sent: Wednesday, April 16, 2014 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? Except in the case of an incident were passwords may have be leaked or otherwise compromised, in which case it seems it would be a required change and just not recommended, I'm curious to the thoughts of those here on why you would enforce periodic password changes on users. It is an extremely weak protection against brute force attacks and better controls against brute force attacks exist. Brute force mitigation is the reasoning I'm usually given or read about. The other reason is some convoluted idea about shared passwords and forgetting or knowing who they were shared with. Seems like a terrible practice to begin with that needs to end. Periodic password changes, in this case, seems to offer some protection, albeit insufficient, but its usefulness may be trumped by the numerous emails I've seen myself or been told about that are used to disseminate the new password for the generic account. I'm not against forced periodic password changes, and was once a proponent of them, but it is a bone contention with users and as I revaluate my position the cons seem to outweigh the pros. So I'm interested in hearing any pros that perhaps I'm not thinking of. Brady McClenon Senior Server Administrator Information Technology Services SUNY College at Oneonta 607-436-3203 "Quotes found on the internet are not always accurate." - Abraham Lincoln From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Wednesday, April 16, 2014 9:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? We made a change in our security polices and have told the campus they must change their password. After 2 weeks of communications in every form imaginable (even including door hangers in residential halls), roughly 50%-60% of faculty and staff have changed their password and roughly 20% of students have. We've decided to give a deadline; if the password hasn't been changed by that date, the "must change at next logon" gets set (this hasn't been communicated yet, so the slackers aren't relying on it). Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pedersen, Krystal Sent: Wednesday, April 16, 2014 7:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password change *recommended* -- RESULTS? Hello Everyone - I was looking to get an idea as to how successful a recommended password change broadcast is (to the entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password change, with instructions on how to change your password, less than 1% of passwords were actually changed? Thanks! Krystal Pedersen, CISA Information Technology<https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=m3a7zui%2BIivnv6HgoEbi9Ak%2BfxH6by%2FnMADg6n%2Broa0%3D%0A&m=K7wzn8gmI8hNuXL9jHk1orJ3Lccq6ysyuzyzelAo5gA%3D%0A&s=94541cacf7ba0f0e6fae5d79ad9862f8189dddccdf4306fe5229bb1499f97753> Information Security, Risk & Compliance Analyst krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>
Current thread:
- Password change *recommended* -- RESULTS? Pedersen, Krystal (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Pete Hickey (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 16)
- Re: Password change *recommended* -- RESULTS? Thomas Carter (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Will Froning (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)