Educause Security Discussion mailing list archives
Re: Password Management Policy & Standards
From: Von Welch <von () VONWELCH COM>
Date: Thu, 25 Feb 2016 13:08:41 +0000
+1 to Scott's comment. Compliance is the best argument for password expiration. I don't believe any risk-based argument holds up when one considers usability costs and the best arguments I've heard I believe are better addressed by locking inactive accounts rather than expiring passwords. Von On Wed, Feb 24, 2016 at 7:26 PM Bradner, Scott <sob () harvard edu> wrote:
you should review Gene Spaford’s Security Myths and Passwords http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ and Passwords and Myth http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/ ScottOn Feb 24, 2016, at 7:19 PM, Carlos Lobato <clobato () NMSU EDU> wrote: Hello Colleagues, I'm working on promoting institutional compliance with our currentpassword policy, which requires regular password changes every 120 days for all accounts.However, I would like to know if some of you have created a table ormatrix listing all of your type of accounts and if password expiration dates vary depending on the type of account, which would be based on risk.If you have a listing, I would highly appreciate a link or a copy toyour document. I am using various resources including the NIST SP 800-118 and I can share with the group after I finish my analysis and potentially re-write our current NMSU password policy to make more realistic.Thank you so much for any input that you may have. Carlos, Carlos S. Lobato, CISA, CISSP, CPA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003 Phone (575) 646-5902 Fax (575) 646-5278
Current thread:
- Password Management Policy & Standards Carlos Lobato (Feb 24)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- Re: Password Management Policy & Standards Joanna Grama (Feb 25)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- <Possible follow-ups>
- Re: Password Management Policy & Standards Mark I. Berman (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Mark Borrie (Feb 28)
- Re: Password Management Policy & Standards Joanna Grama (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)