Re: Password Management Policy & Standards

[Von Welch <von () VONWELCH COM>]

+1 to Scott's comment.

Compliance is the best argument for password expiration. I don't believe
any risk-based argument holds up when one considers usability costs and the
best arguments I've heard I believe are better addressed by locking
inactive accounts rather than expiring passwords.

Von


On Wed, Feb 24, 2016 at 7:26 PM Bradner, Scott <sob () harvard edu> wrote:

> you should review
> Gene Spaford’s Security Myths and Passwords
> http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
> and Passwords and Myth
> http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/
>
> Scott
>
> > On Feb 24, 2016, at 7:19 PM, Carlos Lobato <clobato () NMSU EDU> wrote:
> >
> > Hello Colleagues,
> >
> > I'm working on promoting institutional compliance with our current
> password policy, which requires regular password changes every 120 days for
> all accounts.
> > However, I would like to know if some of you have created a table or
> matrix listing all of your type of accounts and if password expiration
> dates vary depending on the type of account, which would be based on risk.
> > If you have a listing, I would highly appreciate a link or a copy to
> your document.  I am using various resources including the NIST SP 800-118
> and I can share with the group after I finish my analysis and potentially
> re-write our current NMSU password policy to make more realistic.
> > Thank you so much for any input that you may have.
> >
> > Carlos,
> >
> > Carlos S. Lobato, CISA, CISSP, CPA
> > IT Compliance Officer
> >
> > New Mexico State University
> > Information and Communication Technologies
> > MSC 3AT PO Box 30001
> > Las Cruces, NM  88003
> >
> > Phone (575) 646-5902
> > Fax (575) 646-5278