Re: Password Expiration

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

Dave - Maybe, as your note suggests, it's time we did look more
seriously at 2-factor.  If passwords have weaknesses that policy and
user training can't fix, what options remain?  I, too, have the budget
problem, but I'm hoping that increased interest in this area will bring
about more affordable solutions.  In the meantime, we might have to work
up a corollary to your starting sentence, "Just because something might
be *expensive* doesn't mean you shouldn't do it!"

 

- Charlie

 

________________________________

From: Dave Koontz [mailto:dkoontz () MBC EDU] 
Sent: Saturday, April 08, 2006 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expiration

 

Just because something might be difficult doesn't mean you shouldn't do
it.

 

Keep in mind that you also have to consider brute force hacker tools,
user empathy and social engineering that can obtain a username /
password.  While it's true that a user may write their password on a
'post-it" note and attach it to their monitor, they could just as easily
tell a friend or co-worker their password to logon to a system.  While
not perfect, a solid password change policy at least ensures that any
users compromised password is only good for a finite period of time,
rather than forever.  A policy such as this used in conjunction with
system monitoring can save you a lot of protential problems in the
future.  Just imagine for a second that a user gives their boyfriend
their logon info, then have a nasty break-up.  Do you want to trust that
information forever?

 

Ideally, we would all have two+ factor authentication, but for now that
is outside most or our budgets.  Limiting how long a "Key" (password) is
good for seems logical to me.  Many hotels/motels change their digital
locks after each guest to help ensure a 'compromised' key isn't used.


 

________________________________

From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
Sent: Friday, April 07, 2006 10:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expiration

I've always been skeptical about the benefits of requiring regular
password changes, for the same reasons.  It seems like it can be an
example of the law of unintended consequences - you enact a procedure,
i.e., requiring password changes,  to try to make things more secure
and, by virtue of that procedure, you may actually be making things less
secure.

It can be very difficult, in a university environment, to stop people
from recording their passwords in insecure manners.  And, of course, the
more lengthy and difficult to remember the password is, the more likely
it is to be written down carelessly.

I would also think you want to decide who you are protecting the
password from - whether it is from a breach through the internet or a
breach from physical access.  If physical access breach is not an issue,
then writing the password on a stick-on note and pasting it to the
monitor is less of an issue.

Harold Winshel



At 02:19 PM 4/7/2006, David Walker wrote:



At the University of California, we dropped our policy requirement for
regular password changes a few years ago.  It is our belief that
requiring regular password changes can actually decrease security, as it
encourages people to write their passwords in insecure locations.  Also,
the password changes tend to be minimal, say, changing a sequence number
within the password.  It's our sense that enforcing password changes is
a mitigation for threats (accessible password files on timesharing
systems, passwords transmitted in the clear) that are no longer
prevalent.

Another thing to consider is how long a "wrong" person might have a
password before they lose it due to an enforced change by the "right"
person.  If the enforced period is 180 days, then the "wrong" person
will have a password, on average, for about three months.  I suspect
most of us would want that average exposure to be measured in minutes or
hours (seconds?  milliseconds?), rather than months, but none of us
would be willing to change our passwords more than once a day.

David Walker
Director, Advanced Technology
Information Resources and Communications
University of California, Office of the President
1111 Franklin Street, Room 7115
Oakland, CA 94607-5200
(510) 987-0500
(510) 451-4340 (FAX)
David.Walker () ucop edu

On Fri, 2006-04-07 at 08:06 -0400, Nancy R Evans wrote: 



Good Day, 
  
Here at Indiana University of Pennsylvania (IUP) we have had password
expiration set to 180 day since we started requiring authentication to
our machines. That was about 4 years ago.  The expiration is what trips
most of our students up.  No matter how often we try to educate them
they always seem to get caught. One problem we have with our expiration
is that you only know when your password has expired if you are using
and on campus machine. (I have yet to try emails)  We have recently
offered a self serve password reset to our students via their SCT Banner
accounts.  Seems to have been accepted well. 
Someone mentioned that the forced expiration is actually more of a
problem, well I think I would agree.  It seems to me that is encourages
the students to "share" account access.  Currently do not have a single
sign on service.  Do those of you who have single sign on find that it
reduces password problems?   Since I supervise our student and academic
faculty/staff help desks I have been asked to conduct a password
education process.  I am looking for some fresh ideas.  Could you all
please share some of your ideas and success. 
  
Thank you, 
  
Nancy R. Evans, MIS
Coordinator of User Services
Academic Technology Services
Indiana University of Pennsylvania
(724) 357-1329
Nancy.Evans () iup edu 

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall 
Camden NJ 08102
(856) 225-6669 (O)