Re: Password expiration Process ?

["Franklin, Elliott" <franklin () TXSTATE EDU>]

I agree with Scott.

We implemented password expiration in October of last year (90 days for
faculty/staff and 180 for students) and are now being asked to review it
again by the faculty.  We send multiple reminder emails before disabling
the account but as most have discovered, these emails are usually
deleted without being read or caught by internal rules or spam filters.
After searching the list archives as well as reading many other
university policies, we are moving toward changing the expiration to
once per year and begin working on two factor authentication for those
with access to private data.

Elliott Franklin, CISSP
Information Security Analyst
Texas State University-San Marcos
http://www.vpit.txstate.edu/security 
512.245.2501

-----Original Message-----
From: Scott Bradner [mailto:sob () HARVARD EDU] 
Sent: Thursday, April 06, 2006 9:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password expiration Process ?

>  First, are any of you using a password
> expiration process in a student self-service environment?

specifically no
reviewing the research (as was done in a discussion on this list a 
while back) we concluded that forcing pasword changes would, in net,
reduce security rather than increase it for this type of situation
(along with pissing off the students etc) 

it seems far better to do things like send email notices when some
kinds of changes are made by the student (e.g. changing password or 
privacy settings) that might indicate a 3rd party accessing the 
account

Scott