Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: Ryan Matteson <rmatteso () CALPOLY EDU>
Date: Thu, 23 Sep 2004 12:57:29 -0700
Arlene Yetnikoff wrote: ><SNIP><
The system administrator soon found that most of his users' passwords had been chosen from the first ten or so on the list. I hope that doesn't happen here. :-)
Rule #1 -- if you enforce strict password rules, and offer users examples of a "good" password, make sure to add a rule restricting those examples. ;-)
But this is an issue we're thinking about here also. What type of tradeoffs are other institutions making on password complexity vs. expiration interval? I'd love to hear the collected wisdom of the populace on this one.
><SNIP>< At Cal Poly we've made a similar tradeoff as UT with regards to complexity, are moving towards our centralized username/password with strong management support, and are currently working on a one year expiration period for typical users. In some ways we are more strict than UT in order to address specific concerns with older systems which have local copies of some (centrally controlled) passwords. We're continually assessing the threats and safeguards, and when possible we try to compensate towards solutions that minimize frustration for users. There are obviously a number of difficult trade-offs to make, but a key element for us has been active support and participation of our Service Desk. With an assistive password tool in place ("that password is not acceptable because it contains a word" etc.) many users will understand what's expected -- but for those who do not, a friendly voice can make the experience less traumatic while sharing some good "security mindset" with the users. Communication (through multiple avenues) is also important so that users understand why the rules are necessary. We've presented to many different groups, given interviews to student papers (though with results not matching those at UT!), sent targetted e-mails, etc. An approach we've talked about but not yet implemented for password issues is to follow the great example set by UMich (and used at UFl) of topical humorous posters: http://www.itd.umich.edu/posters/ http://www.itsa.ufl.edu/posters/passwords.pdf We *have* passed some of these around at management meetings as an ice-breaker/reminder prior to discussing a specific issue. -- Ryan Matteson rmatteso () calpoly edu Enterprise Architect/OCIO Security Assurance (805) 756-7676 Information Technology Services Cal Poly, San Luis Obispo ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)