Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Fri, 10 Apr 2009 08:56:08 -0400
Our policy states that: -Minimum 8 Characters -At least 1 Uppercase -At least 1 Lowercase -At least 1 Number -At least 1 Special -Change every 120 days
This is consistent with our rules with the exception that we force a change every 90 days not 120 days. However, we only enforce this on enterprise applications (systems that hold most of our important data). Users of enterprise applications go through a second round of authentication where the rules of enforced.
Would anyone be willing to share their password complexity and aging requirements?
Our general guidance is at the following link and is for the most part consistent with what we do for enterprise applications. http://www.cmu.edu/iso/governance/guidelines/password-management.html
Are we asking too much/not enough? Does anyone have any quality tips or resources that would help substantiate why passwords must be this strong? Are there any compliance drivers worth mentioning?
I think most IT standards/regulations can be used to help drive password strength in general. Most don't get specific enough to drive a particular set of rules though. With the exception of password lifetime, the rules you mention are fairly standard practice in my experience. We pretty much used the its common practice argument. We also had auditors driving this for us so there was less resistance as a result. I've seen a lot of variation in password lifetime. I've not found any good research to support 60 vs. 90 vs. 120 vs. 180 etc. 90 days was hard coded into our previous security policy so it stuck with us.
I'm sure many of you have had the pleasure of implementing strong password policies. Any advice you have would be greatly appreciated.
Any discussion around password policy is less than pleasurable for me. They actually make me weep like a baby. With the amount of time we've spent debating, writing code for and communicating password policy, we could have just implemented a two-factor solution. :-)
Current thread:
- Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
(Thread continues...)