Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Mike Cunningham <mike.cunningham () PCT EDU>]

To expand on the "annoyance" comment..

We all will accept a new student, create them an account, set an initial password, have them change it on first use to 
one of their choosing, All is well and good in the world.
Then they come on campus...
They connect their laptop to wireless which embeds the password in the device.  
They connect their phone to wireless which embeds the password in the device 
They setup activesync on their phone which embeds the password in the app  
They connect their tablet to wireless which embeds the password in the device  
They setup activesync on their tablet which embeds the password in the app  
They connect their IPTV to wireless which embeds the password in the device  
They connect their game console to wireless which (might) embed the password in the device

Two months later we make them change their password and the chaos begins. They don't remember all the places they used 
their password and those devices then try top connect, over and over again, and eventually disable the account. Student 
tries to logon using the new password and can't. The student calls the helpdesk to report then can't logon and the 
first thing the helpdesk does is reset the password. And the cycle continues. If the student does think about then need 
to change the wireless device password they almost always forget that activesync needs changed too. One recent incident 
we had it took almost three weeks to get a student back to normal because they had used a parents phone to setup their 
email account and forget they did that. 

And in another couple of months that will all happen again    
  

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A 
Safian
Sent: Thursday, April 03, 2014 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs

>  Ultimately, I'm not finding the benefit strong enough to move me from 
> my core belief that it's not worth the usability trade-off and we 
> should instead be focusing energy getting users to use password 
> managers. But I admit that's subjective.

I'm not sure that password managers will take off.  The whole password system is little more than an annoyance to most 
users, and until that changes, we're just expending a lot of energy, mostly needlessly.   That being said, I'm pinning 
my hopes on multi-factor authentication.  Maybe one of us will get lucky.