Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: "Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>
Date: Mon, 13 Apr 2009 11:16:14 -0500
Our policy requires: Minimum 8 chars At least 3/4 of the following uppercase chars lowercase chars numbers special chars Past 10 passwords are remembered Passwords must change every 180 days Also important with this would be limiting the use of LM hashes on windows machines. If you use AD this can easily be done through group policy. Or you can require >14 characters in passwords (Windows won't use LM if the password is 15 chars or more). It helps to explain to users that every account is important to secure (yes, including theirs) as it could be used to elevate privileges/impersonate the user/affect others (for ex: by sending out tons of spam). I think getting users to understand the security implications of why we are asking them to use strong passwords it the most likely way to get them to accept the additional burden. On 4/9/09 11:49 AM, "Matthew Giannetto" <MGiannet () MC3 EDU> wrote:
We are looking to implement a new password policy, and are currently trying to get our committee of end-users to buy into the change. The two sticking points are password complexity and password aging. They seem to understand the importance, but want to make sure that we're not asking too much from our end-users. They're looking for more assurance that what we're asking is necessary, and that we're not going overboard compared to most other colleges. Our policy states that: -Minimum 8 Characters -At least 1 Uppercase -At least 1 Lowercase -At least 1 Number -At least 1 Special -Change every 120 days Would anyone be willing to share their password complexity and aging requirements? Are we asking too much/not enough? Does anyone have any quality tips or resources that would help substantiate why passwords must be this strong? Are there any compliance drivers worth mentioning? Has there been a recent study that surveys password complexity/aging in education? Does anyone have other advice on how to get faculty, staff, and students to buy-in to this change? I'm sure many of you have had the pleasure of implementing strong password policies. Any advice you have would be greatly appreciated. Thanks, Matthew Y. Giannetto Manager of IT Security Montgomery County Community College mgiannet () mc3 edu 215.619.7442 Home of the 2006, 2004 and 2002 CASE and Carnegie Foundation for the Advancement of Teaching's Pennsylvania Professors of the Year. This e-mail message and any files transmitted with it are intended for the use of the individual(s) or entity to which they are addressed and may contain information that is privileged, proprietary or confidential. If you are not an intended recipient, you may not use, distribute or duplicate any information contained within this message. If you have received this communication in error, please immediately destroy all occurrences of this message and notify the sender. Thank you. Montgomery County Community College 340 DeKalb Pike, Blue Bell, PA, USA, 19422 101 College Drive, Pottstown, PA, USA, 19464 www.mc3.edu
sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0
Attachment:
smime.p7s
Description:
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
(Thread continues...)