Re: Password Expiration

[David Walker <David.Walker () UCOP EDU>]

At the University of California, we dropped our policy requirement for
regular password changes a few years ago.  It is our belief that
requiring regular password changes can actually decrease security, as it
encourages people to write their passwords in insecure locations.  Also,
the password changes tend to be minimal, say, changing a sequence number
within the password.  It's our sense that enforcing password changes is
a mitigation for threats (accessible password files on timesharing
systems, passwords transmitted in the clear) that are no longer
prevalent.

Another thing to consider is how long a "wrong" person might have a
password before they lose it due to an enforced change by the "right"
person.  If the enforced period is 180 days, then the "wrong" person
will have a password, on average, for about three months.  I suspect
most of us would want that average exposure to be measured in minutes or
hours (seconds?  milliseconds?), rather than months, but none of us
would be willing to change our passwords more than once a day.

David Walker
Director, Advanced Technology
Information Resources and Communications
University of California, Office of the President
1111 Franklin Street, Room 7115
Oakland, CA 94607-5200
(510) 987-0500
(510) 451-4340 (FAX)
David.Walker () ucop edu

On Fri, 2006-04-07 at 08:06 -0400, Nancy R Evans wrote:
> Good Day,
>  
> Here at Indiana University of Pennsylvania (IUP) we have had password
> expiration set to 180 day since we started requiring authentication to
> our machines. That was about 4 years ago.  The expiration is what
> trips most of our students up.  No matter how often we try to educate
> them they always seem to get caught. One problem we have with our
> expiration is that you only know when your password has expired if you
> are using and on campus machine. (I have yet to try emails)  We have
> recently offered a self serve password reset to our students via their
> SCT Banner accounts.  Seems to have been accepted well.
> Someone mentioned that the forced expiration is actually more of a
> problem, well I think I would agree.  It seems to me that is
> encourages the students to "share" account access.  Currently do not
> have a single sign on service.  Do those of you who have single sign
> on find that it reduces password problems?   Since I supervise our
> student and academic faculty/staff help desks I have been asked to
> conduct a password education process.  I am looking for some fresh
> ideas.  Could you all please share some of your ideas and success.
>  
> Thank you,
>  
> Nancy R. Evans, MIS
> Coordinator of User Services
> Academic Technology Services
> Indiana University of Pennsylvania
> (724) 357-1329
> Nancy.Evans () iup edu

Attachment: smime.p7s
Description: