Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Tue, 14 Apr 2009 08:56:56 -0400
I don't see anyone making a distinction between the IT resources involved. Perhaps a two-tiered password change policy makes more sense. I think that it could be argued that there is a larger problem if server/system passwords aren't changed on a reasonable schedule versus the risk involved with a faculty or computer lab system. Is it more palatable to require a frequent change for critical or sensitive systems and a less frequent (once per semester?) change for all other systems? I think if you toss in account lockout after X number of failed login attempts and complex (8 characters, 1 upper case, 1 special, 1 number) passwords across all systems, you can pretty effectively mitigate most brute force attacks.
That is what we do. We only expire passwords for enterprise applications (where a good portion of the important stuff is kept). The ironic thing is these accounts, given network placement and other controls, are probably less susceptible to brute force attacks, interception, etc. than regular accounts. :-)
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
- Re: Password Complexity and Aging randy marchany (Apr 30)
- Re: Password Complexity and Aging Zach Jansen (Apr 30)
- Re: Password Complexity and Aging HALL, NATHANIEL D. (Apr 30)