Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Ben Marsden <bmarsden () SMITH EDU>
Date: Wed, 23 Apr 2014 18:01:05 -0500
Hi all, First, the direct answer to the question : I sent a mass email recommending a pwd change at 3:39pm on Friday (later than I'd hoped, another story). Between then and midnight Monday - which I think is a good window for direct response to this message -- we had 674 people change their passwords, or roughly 15% of the total user population. I think that's a decent number... On the more general questions raised since : we recently changed our password policy to require more secure passwords (we're now at 14 character minimum, the stick), but we no long expire them (the carrot). As part of this change, we tried hard to drive home two key awareness responsibilities to our users : () do NOT share your account access with anyone -- including your parents, and () do NOT use your Smith password for *any other* account you may have. Non-expiring pwds is a risk trade-off, along with many factors, but in general, I'm OK with this policy. So, yes, I now take moments like this to actively remind people to voluntarily change their passwords. And yes, I'd love to move away from passwords as the sole guardian to user identity authentication, especially as we expand the use of SSO and cloud-based services... hope this helps, -- Ben ============================================ Ben Marsden : Information Security Director, CISSP/GISP ITS, Stoddard Hall, Smith College, Northampton, MA 01063 bmarsden [at] smith [.] edu 413 [.] 585 [.] 4479 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent! On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal < Krystal.Pedersen () umassmed edu> wrote:
Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password change, with instructions on how to change your password, less than 1% of passwords were actually changed? Thanks! Krystal Pedersen, CISA Information Technology <https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=tafFNXnwSjwMFZCEX1T%2BL%2FujUKiKnTUQbUfN7cqKKMc%3D%0A&s=d37158bd00a98a22d60e199b1ca4c51524784149331f76e99c6dbfd97c92aa06> Information Security, Risk & Compliance Analyst krystal.pedersen () umassmed edu
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ben Marsden (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 23)
- Re: Password change *recommended* -- RESULTS? Thomas Carter (Apr 23)
- Re: Password change *recommended* -- RESULTS? Ben Marsden (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Thomas Carter (Apr 23)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 23)
- Re: Password change *recommended* -- RESULTS? Joe St Sauver (Apr 16)
(Thread continues...)