Educause Security Discussion mailing list archives

Password Complexity and Aging

From: Matthew Giannetto <MGiannet () MC3 EDU>
Date: Thu, 9 Apr 2009 12:49:12 -0400

We are looking to implement a new password policy, and are currently trying to get our committee of end-users to buy
into the change. The two sticking points are password complexity and password aging. They seem to understand the
importance, but want to make sure that we're not asking too much from our end-users. They're looking for more
assurance that what we're asking is necessary, and that we're not going overboard compared to most other colleges.

Our policy states that:
-Minimum 8 Characters
-At least 1 Uppercase
-At least 1 Lowercase
-At least 1 Number
-At least 1 Special
-Change every 120 days

Would anyone be willing to share their password complexity and aging requirements?

Are we asking too much/not enough? Does anyone have any quality tips or resources that would help substantiate why
passwords must be this strong? Are there any compliance drivers worth mentioning?

Has there been a recent study that surveys password complexity/aging in education?

Does anyone have other advice on how to get faculty, staff, and students to buy-in to this change?

I'm sure many of you have had the pleasure of implementing strong password policies. Any advice you have would be
greatly appreciated.

Thanks,
Matthew Y. Giannetto
Manager of IT Security
Montgomery County Community College
mgiannet () mc3 edu
215.619.7442

Home of the 2006, 2004 and 2002 CASE and Carnegie Foundation for the Advancement of Teaching's Pennsylvania Professors
of the Year.

This e-mail message and any files transmitted with it are intended for the use of the individual(s) or entity to which
they are addressed and may contain information that is privileged, proprietary or confidential. If you are not an
intended recipient, you may not use, distribute or duplicate any information contained within this message. If you have
received this communication in error, please immediately destroy all occurrences of this message and notify the sender.
Thank you.

Montgomery County Community College
340 DeKalb Pike, Blue Bell, PA, USA, 19422
101 College Drive, Pottstown, PA, USA, 19464
www.mc3.edu

Current thread:

Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)

(Thread continues...)