Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password policy

From: Daniel R Jones <Dan.Jones () COLORADO EDU>
Date: Wed, 1 Nov 2006 15:06:49 -0700
Ultimately I do not believe that there is one correct answer to this.
You have to look at what data/asset you are attempting to protect.  Are
password expirations for email worth the extra complexity, pain, and
suffering both for the end user and support organization?  I'd argue no.
Would I be concerned by a system administrator who has had the same 8
character password from the last century?  Yes. 

So, I would not automatically rule out password expiration policy from
possible controls you might put in place. I would however put it on the
table as one of my last options if other controls (for example
passphrases or two factor for system administration) are not feasible.

Regards,

Dan Jones, CISSP
Director, Campus IT Security Office
University of Colorado at Boulder


-----Original Message-----
From: Kellogg, Brian D. [mailto:bkellogg () SBU EDU]
Sent: Wednesday, November 01, 2006 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password policy

A couple questions:



1.    Do most enforce password expirations?  I came from a large
corporation and they enforced a 90 day password expiration policy.  It
seemed to have the effect of making passwords less secure as most

would

write them down in obvious places.
2.    Do most enforce a strong password policy?
3.    Any other recommendations/insights along this line would be

helpful.








Thanks,



Brian
Previous By Date Next
Previous By Thread Next

Current thread: