Educause Security Discussion mailing list archives
Re: Password policy
From: Daniel R Jones <Dan.Jones () COLORADO EDU>
Date: Wed, 1 Nov 2006 15:06:49 -0700
Ultimately I do not believe that there is one correct answer to this. You have to look at what data/asset you are attempting to protect. Are password expirations for email worth the extra complexity, pain, and suffering both for the end user and support organization? I'd argue no. Would I be concerned by a system administrator who has had the same 8 character password from the last century? Yes. So, I would not automatically rule out password expiration policy from possible controls you might put in place. I would however put it on the table as one of my last options if other controls (for example passphrases or two factor for system administration) are not feasible. Regards, Dan Jones, CISSP Director, Campus IT Security Office University of Colorado at Boulder
-----Original Message----- From: Kellogg, Brian D. [mailto:bkellogg () SBU EDU] Sent: Wednesday, November 01, 2006 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password policy A couple questions: 1. Do most enforce password expirations? I came from a large corporation and they enforced a 90 day password expiration policy. It seemed to have the effect of making passwords less secure as most
would
write them down in obvious places. 2. Do most enforce a strong password policy? 3. Any other recommendations/insights along this line would be
helpful.
Thanks, Brian
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Buz Dale (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Colleen Keller (Nov 01)
- Re: Password policy Gary Flynn (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
(Thread continues...)