Educause Security Discussion mailing list archives

Re: Password Complexity and Aging

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Fri, 10 Apr 2009 08:56:08 -0400

Our policy states that:
-Minimum 8 Characters
-At least 1 Uppercase
-At least 1 Lowercase
-At least 1 Number
-At least 1 Special
-Change every 120 days


This is consistent with our rules with the exception that we force a change every 90 days not 120 days.  However, we 
only enforce
this on enterprise applications (systems that hold most of our important data).  Users of enterprise applications go 
through a
second round of authentication where the rules of enforced.

Would anyone be willing to share their password complexity and aging requirements?


Our general guidance is at the following link and is for the most part consistent with what we do for enterprise 
applications.

http://www.cmu.edu/iso/governance/guidelines/password-management.html

Are we asking too much/not enough?  Does anyone have any quality tips or resources that would help
substantiate why passwords must be this strong?  Are there any compliance drivers worth mentioning?


I think most IT standards/regulations can be used to help drive password strength in general.  Most don't get specific 
enough to
drive a particular set of rules though.  With the exception of password lifetime, the rules you mention are fairly 
standard practice
in my experience.  We pretty much used the its common practice argument.  We also had auditors driving this for us so 
there was less
resistance as a result.  I've seen a lot of variation in password lifetime.  I've not found any good research to 
support 60 vs. 90
vs. 120 vs. 180 etc.  90 days was hard coded into our previous security policy so it stuck with us.

I'm sure many of you have had the pleasure of implementing strong password policies.  Any advice you
have would be greatly appreciated.


Any discussion around password policy is less than pleasurable for me.  They actually make me weep like a baby.  With 
the amount of
time we've spent debating, writing code for and communicating password policy, we could have just implemented a 
two-factor solution.
:-)

Current thread:

Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)

(Thread continues...)