Re: 802.1X password reset issues

["Davis, Michael" <MichaelDavis () LETU EDU>]

Jim,

We've had the same experience as you with our policy of annual password changes for employees. We would use Netwrix 
tools for the Help Desk to identify where the lockouts were coming from so we could guide the employee on what device 
to check and whether it was email or WiFi, etc.

Now, we're in the process of eliminating expiring passwords to better align with the latest NIST recommendations. So 
far it's an opt-in preview. Any of our employees who want a non-expiring password can email us and we put them in a 
security group that enables Azure AD MFA and sets a fine-grained password policy that requires more characters (15 
instead of the old 7), but eliminates password expiration and complexity. Excellent feedback thus far from our 
participants and we expect we'll eventually roll this out to everyone.


Michael A. Davis
Director, Information Security
Director, User Support & Engagement
[w] 903.233.3500 | [f] 903.233.3501
[l] LinkedIn/michaeldavis<http://www.linkedin.com/in/michael-davis-b042b84> | [t] @mdavis332<twitter.com/mdavis332>

[cid:image001.png@01D47C28.CEA198E0]


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim
Sent: Wednesday, November 14, 2018 2:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 802.1X password reset issues

We are getting some grumbling from several staff that get into a password lockout condition when changing their twice a 
year required password.  We mostly see this when people have multiple devices connected to the wireless network and 
they forget one of them and it locks out from re-auth requests or if they don't change the password for their email 
client and that locks us out.  We have recommended procedures (turn off all devices but one and re-do the password one 
at a time).  We've tried to make it less painful by upping the number of failed password attempts before it locks out, 
but I don't want to get to a point where we sacrifice security for convenience.  Any any of you folks have similar 
issues and what have you done to make it easier?

Thanks,

Jim


James Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: 
https://www.facebook.com/lucuiso/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cmichaeldavis%40LETU.EDU%7Cae9328c77f7048f88d6008d64a7104e7%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C0%7C636778246616107075&sdata=SPHkB51Frd3QX3HAw0fMSAGp7%2BX7%2Bu7GApXgxbhAOsI%3D&reserved=0>
Our Blog http://blogs.luc.edu/uiso/