Educause Security Discussion mailing list archives
Re: Password Expiration
From: Bill Betlej <bbetlej () MBC EDU>
Date: Mon, 10 Apr 2006 08:25:23 -0400
Don't underestimate the educational power that a "change your password" policy has. Many of the users I talk to have mentioned they now understand the importance of secure (don't write it on a sticky note) and often changed password. What they can't seem to get they hands around is that they really don't feel they have anything on their own PCs that is worth stealing. Bill Betlej _____ From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Monday, April 10, 2006 8:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expiration I really appreciate the input that everyone has submitted on this one. It confirms to me that there is no simple answer to this question - and not necessarily right or wrong answers - but rather different approaches to addressing the same problem. I think this discussion group is a great forum for exploring different approaches to a lot of problems we all have. Thanks, Harold At 10:00 AM 4/9/2006, Charlie Prothero wrote: Dave - Maybe, as your note suggests, it's time we did look more seriously at 2-factor. If passwords have weaknesses that policy and user training can't fix, what options remain? I, too, have the budget problem, but I'm hoping that increased interest in this area will bring about more affordable solutions. In the meantime, we might have to work up a corollary to your starting sentence, "Just because something might be *expensive* doesn't mean you shouldn't do it!" - Charlie _____ From: Dave Koontz [ mailto:dkoontz () MBC EDU <mailto:dkoontz () MBC EDU> ] Sent: Saturday, April 08, 2006 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expiration Just because something might be difficult doesn't mean you shouldn't do it. Keep in mind that you also have to consider brute force hacker tools, user empathy and social engineering that can obtain a username / password. While it's true that a user may write their password on a 'post-it" note and attach it to their monitor, they could just as easily tell a friend or co-worker their password to logon to a system. While not perfect, a solid password change policy at least ensures that any users compromised password is only good for a finite period of time, rather than forever. A policy such as this used in conjunction with system monitoring can save you a lot of protential problems in the future. Just imagine for a second that a user gives their boyfriend their logon info, then have a nasty break-up. Do you want to trust that information forever? Ideally, we would all have two+ factor authentication, but for now that is outside most or our budgets. Limiting how long a "Key" (password) is good for seems logical to me. Many hotels/motels change their digital locks after each guest to help ensure a 'compromised' key isn't used. _____ From: Harold Winshel [ <mailto:winshel () CAMDEN RUTGERS EDU> mailto:winshel () CAMDEN RUTGERS EDU] Sent: Friday, April 07, 2006 10:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expiration I've always been skeptical about the benefits of requiring regular password changes, for the same reasons. It seems like it can be an example of the law of unintended consequences - you enact a procedure, i.e., requiring password changes, to try to make things more secure and, by virtue of that procedure, you may actually be making things less secure. It can be very difficult, in a university environment, to stop people from recording their passwords in insecure manners. And, of course, the more lengthy and difficult to remember the password is, the more likely it is to be written down carelessly. I would also think you want to decide who you are protecting the password from - whether it is from a breach through the internet or a breach from physical access. If physical access breach is not an issue, then writing the password on a stick-on note and pasting it to the monitor is less of an issue. Harold Winshel At 02:19 PM 4/7/2006, David Walker wrote: At the University of California, we dropped our policy requirement for regular password changes a few years ago. It is our belief that requiring regular password changes can actually decrease security, as it encourages people to write their passwords in insecure locations. Also, the password changes tend to be minimal, say, changing a sequence number within the password. It's our sense that enforcing password changes is a mitigation for threats (accessible password files on timesharing systems, passwords transmitted in the clear) that are no longer prevalent. Another thing to consider is how long a "wrong" person might have a password before they lose it due to an enforced change by the "right" person. If the enforced period is 180 days, then the "wrong" person will have a password, on average, for about three months. I suspect most of us would want that average exposure to be measured in minutes or hours (seconds? milliseconds?), rather than months, but none of us would be willing to change our passwords more than once a day. David Walker Director, Advanced Technology Information Resources and Communications University of California, Office of the President 1111 Franklin Street, Room 7115 Oakland, CA 94607-5200 (510) 987-0500 (510) 451-4340 (FAX) David.Walker () ucop edu On Fri, 2006-04-07 at 08:06 -0400, Nancy R Evans wrote: Good Day, Here at Indiana University of Pennsylvania (IUP) we have had password expiration set to 180 day since we started requiring authentication to our machines. That was about 4 years ago. The expiration is what trips most of our students up. No matter how often we try to educate them they always seem to get caught. One problem we have with our expiration is that you only know when your password has expired if you are using and on campus machine. (I have yet to try emails) We have recently offered a self serve password reset to our students via their SCT Banner accounts. Seems to have been accepted well. Someone mentioned that the forced expiration is actually more of a problem, well I think I would agree. It seems to me that is encourages the students to "share" account access. Currently do not have a single sign on service. Do those of you who have single sign on find that it reduces password problems? Since I supervise our student and academic faculty/staff help desks I have been asked to conduct a password education process. I am looking for some fresh ideas. Could you all please share some of your ideas and success. Thank you, Nancy R. Evans, MIS Coordinator of User Services Academic Technology Services Indiana University of Pennsylvania (724) 357-1329 Nancy.Evans () iup edu Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102 (856) 225-6669 (O) Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Password Expiration Nancy R Evans (Apr 07)
- <Possible follow-ups>
- Re: Password Expiration David Walker (Apr 07)
- Re: Password Expiration Harold Winshel (Apr 07)
- Re: Password Expiration Dave Koontz (Apr 08)
- Re: Password Expiration Charlie Prothero (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 10)
- Re: Password Expiration Bill Betlej (Apr 10)
- Re: Password Expiration Geoffrey S. Nathan (Apr 10)
- Re: Password Expiration Gene Spafford (Apr 10)
- Re: Password Expiration Harold Winshel (Apr 11)
- Re: Password Expiration Steve Worona (Apr 11)
- Re: Password Expiration David Walker (Apr 11)
- Re: Password Expiration Gene Spafford (Apr 11)
- Re: Password Expiration Stewart, Ian (Apr 12)