Re: Password policy

[Gary Dobbins <dobbins () ND EDU>]

Brian,

You may want to consult the latest ECAR security study
(http://www.educause.edu/LibraryDetailPage/666?ID=ERS0606) for
percentages of schools who employ various practices, but I can tell you
our story:

We enforce password complexity, non-reuse, and expiration (180 days).

Our policy does not forbid their safe storage, but admonishes keeping
them secret.  We cast it this way to avoid the backlash effect you cite
below, where user reaction makes them less secret.  We felt that a
password stored relatively safely (e.g. in a wallet) was less of a
threat vector than one which was simple and easily guessed and/or has
never changed.

This policy was phased in weekly on randomly-selected accounts each week
over an academic year, so not everyone's password had to be changed at
the same time.

Individual difficulties (usually inconvenience) were of course cited by
some, but overall these constituted a _very_ low percentage of the
population.  No exceptions have been deemed necessary (so far, knock wood).


Kellogg, Brian D. wrote:
> A couple questions:
>
>
>
>    1. Do most enforce password expirations?  I came from a large
>       corporation and they enforced a 90 day password expiration
>       policy.  It seemed to have the effect of making passwords less
>       secure as most would write them down in obvious places.
>    2. Do most enforce a strong password policy?
>    3. Any other recommendations/insights along this line would be helpful.
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Brian

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies