Educause Security Discussion mailing list archives
Re: 802.1X password reset issues
From: "Davis, Michael" <MichaelDavis () LETU EDU>
Date: Wed, 14 Nov 2018 20:46:22 +0000
Jim, We've had the same experience as you with our policy of annual password changes for employees. We would use Netwrix tools for the Help Desk to identify where the lockouts were coming from so we could guide the employee on what device to check and whether it was email or WiFi, etc. Now, we're in the process of eliminating expiring passwords to better align with the latest NIST recommendations. So far it's an opt-in preview. Any of our employees who want a non-expiring password can email us and we put them in a security group that enables Azure AD MFA and sets a fine-grained password policy that requires more characters (15 instead of the old 7), but eliminates password expiration and complexity. Excellent feedback thus far from our participants and we expect we'll eventually roll this out to everyone. Michael A. Davis Director, Information Security Director, User Support & Engagement [w] 903.233.3500 | [f] 903.233.3501 [l] LinkedIn/michaeldavis<http://www.linkedin.com/in/michael-davis-b042b84> | [t] @mdavis332<twitter.com/mdavis332> [cid:image001.png@01D47C28.CEA198E0] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim Sent: Wednesday, November 14, 2018 2:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] 802.1X password reset issues We are getting some grumbling from several staff that get into a password lockout condition when changing their twice a year required password. We mostly see this when people have multiple devices connected to the wireless network and they forget one of them and it locks out from re-auth requests or if they don't change the password for their email client and that locks us out. We have recommended procedures (turn off all devices but one and re-do the password one at a time). We've tried to make it less painful by upping the number of failed password attempts before it locks out, but I don't want to get to a point where we sacrifice security for convenience. Any any of you folks have similar issues and what have you done to make it easier? Thanks, Jim James Pardonek, MS, CISSP, CEH, GSNA Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cmichaeldavis%40LETU.EDU%7Cae9328c77f7048f88d6008d64a7104e7%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C0%7C636778246616107075&sdata=SPHkB51Frd3QX3HAw0fMSAGp7%2BX7%2Bu7GApXgxbhAOsI%3D&reserved=0> Our Blog http://blogs.luc.edu/uiso/
Current thread:
- 802.1X password reset issues Pardonek, Jim (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)
- Re: 802.1X password reset issues William Clark (Nov 14)
- Re: 802.1X password reset issues Brian Epstein (Nov 14)
- Re: 802.1X password reset issues David Curry (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)