Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Chad McDonald <Mcdonald () AUDITS GA GOV>
Date: Tue, 14 Apr 2009 07:18:37 -0400
I don't see anyone making a distinction between the IT resources involved. Perhaps a two-tiered password change policy makes more sense. I think that it could be argued that there is a larger problem if server/system passwords aren't changed on a reasonable schedule versus the risk involved with a faculty or computer lab system. Is it more palatable to require a frequent change for critical or sensitive systems and a less frequent (once per semester?) change for all other systems? I think if you toss in account lockout after X number of failed login attempts and complex (8 characters, 1 upper case, 1 special, 1 number) passwords across all systems, you can pretty effectively mitigate most brute force attacks. I suppose I should toss in a disclaimer that this is my personal opinion and not in any way reflective of opinions of my employer. Sincerely, Chad McDonald, CISSP, CISA, PMP Information Systems Auditor State of Georgia Department of Audits and Accounts Information Systems Audit and Assurance Services Division 270 Washington St., SW Room 1-156 Atlanta, Georgia 30334-8400 Phone: 404.651.8754 Fax: 404.657-5539 Georgia Audits made the following annotations on Tue Apr 14 2009 07:18:39 --------------------------------------------------------------------- NOTICE: This e-mail (including attachments) may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this in error, please notify the sender immediately by replying to this message and then deleting it. Thank you for your cooperation. ---------------------------------------------------------------------
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
- Re: Password Complexity and Aging randy marchany (Apr 30)
- Re: Password Complexity and Aging Zach Jansen (Apr 30)
- Re: Password Complexity and Aging HALL, NATHANIEL D. (Apr 30)