Educause Security Discussion mailing list archives

Re: Password policy

From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 2 Nov 2006 09:54:26 -0500

Mike Wiseman wrote:

Good point on the latter statement (as has also been made by Jim and
Dan) - it's good practice to match the authentication system strength to
the risk/consequences of a failure of that system (see NIST
800-63). Username/password auth is acceptable for a majority of
applications that a typical student uses. An employee, on the other
hand, who has read/write access to ERP, student records, server
administration, etc. should be using a relatively stronger
authentication method.


For those of you who provide a "universal account and password"
that allows people to access multiple systems:

1) Do you allow the universal account to be used both with
   sensitive and non-sensitive applications?

2) Do you enforce separate password policies on the universal
   accounts whose holders can access sensitive systems? If so,
   through what mechanism?

thanks,

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Re: Password policy, (continued)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)