Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Ryan Fox <rfox () FINDLAY EDU>
Date: Mon, 13 Apr 2009 08:16:25 -0400
Geoff Nathan wrote:
I'll second Roger and Valdis' comments about the religious nature of this debate. I tried to educate our auditors and failed, and indeed they had expiry of ancient account passwords in mind as a driving force. So far there haven't been many loud squawks, but we're only into our second 180 days.
We're implementing (today, actually) a password policy of 8+ characters, include upper, lower, and digit. No automatic expiration. We actually didn't have to fight our auditors on expiration at all. I suspect this is because we were more prepared than our auditor. ;) As part of our policy, we included the math to determine the keyspace, along with how long it would take an attacker to brute force the keyspace (lower limit known, as we enforce account lockout after N attempts). This was acceptably long given our number of accounts, and provided no reason for us to enforce a short expiration period. Ryan
Attachment:
rfox.vcf
Description:
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
(Thread continues...)