Re: Password Complexity and Aging

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

Our policy requires:

Minimum 8 chars
At least 3/4 of the following
 uppercase chars
 lowercase chars
 numbers
 special chars
Past 10 passwords are remembered
Passwords must change every 180 days

Also important with this would be limiting the use of LM hashes on windows
machines.  If you use AD this can easily be done through group policy.  Or
you can require >14 characters in passwords (Windows won't use LM if the
password is 15 chars or more).

It helps to explain to users that every account is important to secure (yes,
including theirs) as it could be used to elevate privileges/impersonate the
user/affect others (for ex: by sending out tons of spam).  I think getting
users to understand the security implications of why we are asking them to
use strong passwords it the most likely way to get them to accept the
additional burden.

On 4/9/09 11:49 AM, "Matthew Giannetto" <MGiannet () MC3 EDU> wrote:

> We are looking to implement a new password policy, and are currently trying to
> get our committee of end-users to buy into the change.  The two sticking
> points are password complexity and password aging.  They seem to understand
> the importance, but want to make sure that we're not asking too much from our
> end-users.  They're looking for more assurance that what we're asking is
> necessary, and that we're not going overboard compared to most other colleges.
>
> Our policy states that:
> -Minimum 8 Characters
> -At least 1 Uppercase
> -At least 1 Lowercase
> -At least 1 Number
> -At least 1 Special
> -Change every 120 days
>
> Would anyone be willing to share their password complexity and aging
> requirements?
>
> Are we asking too much/not enough?  Does anyone have any quality tips or
> resources that would help substantiate why passwords must be this strong?  Are
> there any compliance drivers worth mentioning?
>
> Has there been a recent study that surveys password complexity/aging in
> education?
>
> Does anyone have other advice on how to get faculty, staff, and students to
> buy-in to this change?
>
> I'm sure many of you have had the pleasure of implementing strong password
> policies.  Any advice you have would be greatly appreciated.
>
>
>
> Thanks,
> Matthew Y. Giannetto
> Manager of IT Security
> Montgomery County Community College
> mgiannet () mc3 edu
> 215.619.7442
>
>
> Home of the 2006, 2004 and 2002 CASE and Carnegie Foundation for the
> Advancement of Teaching's Pennsylvania Professors of the Year.
>
> This e-mail message and any files transmitted with it are intended for the use
> of the individual(s) or entity to which they are addressed and may contain
> information that is privileged, proprietary or confidential. If you are not an
> intended recipient, you may not use, distribute or duplicate any information
> contained within this message. If you have received this communication in
> error, please immediately destroy all occurrences of this message and notify
> the sender. Thank you.
>
> Montgomery County Community College
> 340 DeKalb Pike, Blue Bell, PA, USA, 19422
> 101 College Drive, Pottstown, PA, USA, 19464
> www.mc3.edu

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: