Re: Student paper "editorial" on robust passwords

[Ryan Matteson <rmatteso () CALPOLY EDU>]

Arlene Yetnikoff wrote:
><SNIP><
> The system administrator soon found that most of his users' passwords
> had been chosen from the first ten or so on the list.
>
> I hope that doesn't happen here.  :-)

Rule #1 -- if you enforce strict password rules, and offer users
examples of a "good" password, make sure to add a rule restricting those
examples.  ;-)


> But this is an issue we're thinking about here also.  What type of
> tradeoffs are other institutions making on password complexity vs.
> expiration interval?  I'd love to hear the collected wisdom of the
> populace on this one.
><SNIP><

At Cal Poly we've made a similar tradeoff as UT with regards to
complexity, are moving towards our centralized username/password with
strong management support, and are currently working on a one year
expiration period for typical users.

In some ways we are more strict than UT in order to address specific
concerns with older systems which have local copies of some (centrally
controlled) passwords.  We're continually assessing the threats and
safeguards, and when possible we try to compensate towards solutions
that minimize frustration for users.

There are obviously a number of difficult trade-offs to make, but a key
element for us has been active support and participation of our Service
Desk.  With an assistive password tool in place ("that password is not
acceptable because it contains a word" etc.) many users will understand
what's expected -- but for those who do not, a friendly voice can make
the experience less traumatic while sharing some good "security mindset"
with the users.

Communication (through multiple avenues) is also important so that users
understand why the rules are necessary.  We've presented to many
different groups, given interviews to student papers (though with
results not matching those at UT!), sent targetted e-mails, etc.

An approach we've talked about but not yet implemented for password
issues is to follow the great example set by UMich (and used at UFl) of
topical humorous posters:

     http://www.itd.umich.edu/posters/
     http://www.itsa.ufl.edu/posters/passwords.pdf

We *have* passed some of these around at management meetings as an
ice-breaker/reminder prior to discussing a specific issue.


--
Ryan Matteson                                 rmatteso () calpoly edu
Enterprise Architect/OCIO Security Assurance        (805) 756-7676
Information Technology Services          Cal Poly, San Luis Obispo

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.