Re: Password change *recommended* -- RESULTS?

[Ben Marsden <bmarsden () SMITH EDU>]

Hi all,  First, the direct answer to the question : I sent a mass email
recommending a pwd change at 3:39pm on Friday (later than I'd hoped,
another story).  Between then and midnight Monday - which I think is a good
window for direct response to this message -- we had 674 people change
their passwords, or roughly 15% of the total user population. I think
that's a decent number...

On the more general questions raised since :  we recently changed our
password policy to require more secure passwords (we're now at 14 character
minimum, the stick), but we no long expire them (the carrot).  As part of
this change, we tried hard to drive home two key awareness responsibilities
to our users : () do NOT share your account access with anyone -- including
your parents,  and () do NOT use your Smith password for *any other*
account you may have.   Non-expiring pwds is a risk trade-off, along with
many factors, but in general, I'm OK with this policy.

So, yes, I now take moments like this to actively remind people to
voluntarily change their passwords.

And yes, I'd love to move away from passwords as the sole guardian to user
identity authentication, especially as we expand the use of SSO and
cloud-based services...

hope this helps,

-- Ben


============================================
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!



On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal <
Krystal.Pedersen () umassmed edu> wrote:

>  Hello Everyone – I was looking to get an idea as to how successful a
> recommended password change broadcast is (to the entire school population)?
> Perhaps a percentage, such as -- last time we sent a broadcast out
> recommended a password change, with instructions on how to change your
> password, less than 1% of passwords were actually changed?
>
>
>
> Thanks!
>
>
>
> Krystal Pedersen, CISA
>
> Information Technology 
> <https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=tafFNXnwSjwMFZCEX1T%2BL%2FujUKiKnTUQbUfN7cqKKMc%3D%0A&s=d37158bd00a98a22d60e199b1ca4c51524784149331f76e99c6dbfd97c92aa06>
>
> Information Security, Risk & Compliance Analyst
>
> krystal.pedersen () umassmed edu