Educause Security Discussion mailing list archives
Re: Password policy
From: "Penn, Blake" <pennb () UWW EDU>
Date: Wed, 1 Nov 2006 12:47:26 -0600
Brian: I came from a large bank and we had to change our passwords every 30 days! Our password policy and implementation is pretty much exactly the same as Notre Dame's - with the same results as well. We were pleasantly surprised with the relative lack of problems. ____________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ -----Original Message----- From: Gary Dobbins [mailto:dobbins () ND EDU] Sent: Wednesday, November 01, 2006 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Brian, You may want to consult the latest ECAR security study (http://www.educause.edu/LibraryDetailPage/666?ID=ERS0606) for percentages of schools who employ various practices, but I can tell you our story: We enforce password complexity, non-reuse, and expiration (180 days). Our policy does not forbid their safe storage, but admonishes keeping them secret. We cast it this way to avoid the backlash effect you cite below, where user reaction makes them less secret. We felt that a password stored relatively safely (e.g. in a wallet) was less of a threat vector than one which was simple and easily guessed and/or has never changed. This policy was phased in weekly on randomly-selected accounts each week over an academic year, so not everyone's password had to be changed at the same time. Individual difficulties (usually inconvenience) were of course cited by some, but overall these constituted a _very_ low percentage of the population. No exceptions have been deemed necessary (so far, knock wood). Kellogg, Brian D. wrote:
A couple questions: 1. Do most enforce password expirations? I came from a large corporation and they enforced a 90 day password expiration policy. It seemed to have the effect of making passwords less secure as most would write them down in obvious places. 2. Do most enforce a strong password policy? 3. Any other recommendations/insights along this line would be helpful. Thanks, Brian
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies
Attachment:
smime.p7s
Description:
Current thread:
- Password policy Kellogg, Brian D. (Nov 01)
- <Possible follow-ups>
- Re: Password policy Gary Dobbins (Nov 01)
- Re: Password policy Penn, Blake (Nov 01)
- Re: Password policy Buz Dale (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Colleen Keller (Nov 01)
- Re: Password policy Gary Flynn (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
(Thread continues...)