Educause Security Discussion mailing list archives
Re: Password policy
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 1 Nov 2006 13:30:00 -0500
Brian, You may want to consult the latest ECAR security study (http://www.educause.edu/LibraryDetailPage/666?ID=ERS0606) for percentages of schools who employ various practices, but I can tell you our story: We enforce password complexity, non-reuse, and expiration (180 days). Our policy does not forbid their safe storage, but admonishes keeping them secret. We cast it this way to avoid the backlash effect you cite below, where user reaction makes them less secret. We felt that a password stored relatively safely (e.g. in a wallet) was less of a threat vector than one which was simple and easily guessed and/or has never changed. This policy was phased in weekly on randomly-selected accounts each week over an academic year, so not everyone's password had to be changed at the same time. Individual difficulties (usually inconvenience) were of course cited by some, but overall these constituted a _very_ low percentage of the population. No exceptions have been deemed necessary (so far, knock wood). Kellogg, Brian D. wrote:
A couple questions: 1. Do most enforce password expirations? I came from a large corporation and they enforced a 90 day password expiration policy. It seemed to have the effect of making passwords less secure as most would write them down in obvious places. 2. Do most enforce a strong password policy? 3. Any other recommendations/insights along this line would be helpful. Thanks, Brian
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies
Current thread:
- Password policy Kellogg, Brian D. (Nov 01)
- <Possible follow-ups>
- Re: Password policy Gary Dobbins (Nov 01)
- Re: Password policy Penn, Blake (Nov 01)
- Re: Password policy Buz Dale (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Colleen Keller (Nov 01)
- Re: Password policy Gary Flynn (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
(Thread continues...)