Re: Password aging

[Steve Worona <sworona () EDUCAUSE EDU>]

Jim -- I'm sure I'm missing something obvious, but how would your response
to the password exposure (for which condolences are certainly in order)
have been different if password aging had already been in place?  Wouldn't
you still have had to notify everyone and tell them to change their passwords?

Best wishes.

Steve
-----
At 11:09 AM -0500 1/13/04, Jim Moore wrote:
> We had the unfortunate experience of having a password exposure for a small number of passwords, however, we could not 
> tell which ones.
>
> So we had to send an announcement, asking users to change their passwords.  And to make matters worse, it was just 
> before Christmas break.
>
> So what we added on was adapted from "Hard to Guess, doesn't necessarily mean Hard to Remember."
>
> Be Sure to Select a Password that is
> ·      More than eight characters in length (longer is better).
> ·      Varied characters (alphabetical or numeric characters - without
> punctuation or duplication).  **Here is where we are bit by legacy systems - we will add in puncutation characters as 
> soon as we can **
> ·      Mixed (upper and lower) case characters.
> ·      Not found in any dictionary (English or foreign language).
> ·      Unrelated to personal information someone could discover about you,
> such as your name or the name of a family member, or your address, phone number, login name, social security number, 
> brand of automobile, or favorite pastime.
>
> Three Easy Ways to Select a Secure Password
> ·      Choose a favorite quotation, book title, song, or poem, and use the
> first letter of each word, mixed with digits you can remember. For example, the quotation "Imagination is more 
> important than knowledge" - Albert Einstein mixed with multiples of 2, might become "iimitk2468AE,'' or "24IimitkAE68."
> ·      Alternate between a random consonant and vowel to produce a nonsense
> word that can often be pronounced. For example, "hikupwaso." Now mix the case of the letters and add a few digits. For 
> example, "hikup79WASO" or "HIKUPwaso79."
> ·      Choose two or more shorter words and concatenate them together with number(s)
> between them. For example: "booK451BradburY." or 4booK5bradburY1"
>
> Go ahead and Write it down
> Effective passwords may initially be harder to remember, especially over a holiday break. Go ahead and write it down 
> and store it with your money or your credit cards and other "valuables."  Just don't put your new password on a 
> post-it or calendar near your computer while you're away. Starting in 2004, everyone will be required to change their 
> password about once per quarter (every 120 days).
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.