Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification

[Walter Moore <moorewr () ECKERD EDU>]

(new list member here, jumping in)

Password aging is something we are asked to do for compliance with PCI and
is a recommendation in our finance audits. We also note that it does
decrease the overwhelming tendency users have of using the same password for
their work e-mail as they do for facebook and other such sites.

I agree that a 15-character passphrase has to be written down somewhere.. so
if that's your policy it needs to be coupled with some kind of password
vault or self-recovery process... which often includes e-mailing a temporary
password or asking for information that is less secure than the actual
password.

On Thu, Aug 19, 2010 at 10:10 AM, SCHALIP, MICHAEL <mschalip () cnm edu> wrote:

> We currently require 15 character passwords and it's becoming somewhat of a
> fiasco - calls to the Service Desk for password resets have gone through the
> roof.  You can call them "passphrases" all you want, but I'm becoming
> convinced that the human mind is just not wired to follow along.  What we've
> also seen is that students could remember the shorter passwords - but
> they've taken to writing the 15-char passwords down a LOT more - we know,
> because we're finding them laying all over the place.   And I'm not sure
> that never requiring a password change - regardless of whether it's 6 char
> or 20 char - is such a great idea.....
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe
> Sent: Thursday, August 19, 2010 8:06 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation
> notification
>
> Wouldn't it be easier to just require 15 or 20 character passphrases and
> never have them expire? (Two factor would be nice but not financially sound
> for the whole campus right now.) It would seem that it might not be too hard
> of a sell with the -- Never have to change it again.. angle. And passphrases
> are easier to type than the random crazy passwords..
>
> Mark
>
> On 8/19/2010 8:56 AM, Ullman, Catherine wrote:
> > James,
> >
> > I would whole-heartedly agree to your statement about providing emails
> > from IT WITHOUT links, but rather reference a known web site by name.
> > I think it makes education and reinforcement of not clicking on links
> > much easier when IT never sends out links either.  :-)
> >
> > I expressed this sentiment just before a recent round of emails were
> > sent regarding password changes only to be informed that it would be
> > "too difficult" for the users to do and thus they wouldn't bother to
> > change their passwords.  While I understand that the password change
> > is critical, I think sending links is today a greater risk because it
> > encourages bad behavior on the part of the user.
> >
> > I will be interested to see what others out there have to say.
> >
> > Best,
> > Cathy
> >
> >
> > Catherine J. Ullman
> > Information Security Analyst
> > Information Security Office
> > University at Buffalo
> > cende () buffalo edu
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James
> > Sent: Thursday, August 19, 2010 9:23 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Password Expatriation notification
> >
> > We also send our users messages like this. However I'm concerned that
> > it would take very little effort to copy the content, spoof the from
> > address and href the links so they look genuine but take them to a
> > random web server which is setup with a copy of our real password
> management system.
> > For this reason I think we shouldn't provide links in emails that ask
> > a user to login to anything, but should advise they visit our main web
> page (i.e.
> > type it in themselves) and we give them a link off that. We can then
> > also tag on to "we never ask for your password" that "we never link to
> > pages that ask for your password".
> >
> > Has anyone else tackled this particularly?
> >
> > Cheers
> > James
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
> > > Sent: Tuesday, August 17, 2010 10:11 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Password Expatriation notification
> > >
> > > And we also send out an email notice 14 days before expiration, and
> > > again more frequently as the expiration approaches.  We have a single
> > > enterprise credential for authentication to many systems, including
> > > email.    We try to make our notification not-phish-like but still get a
> > > few inquiries as to the validity of the message.  I usually
> > > congratulate those paranoid souls.  At least it's better than
> > > believing
> > everything.
> >
> > > ;-)
> > >
> > > Our message says:
> > >
> > > Firstname Lastname [UniversityID#],
> > >
> > > Our system indicates that you have not changed your password since
> > > [Month day, year].
> > >
> > > Please take a few minutes to change your password and review your
> > > challenge questions by going to http://password.usu.edu before [date
> > > 6 months later].
> > >
> > > If you do not change your password by [the latter date], you may
> > > experience interruption of service on Utah State University systems.
> > > You will still be able to log in at http://id.usu.edu and make your
> > > password change after that date.
> > >
> > > You may also be temporarily receiving this message:
> > >
> > > 1) If you no longer attend Utah State University: You may not be
> > > interested in maintaining your password with us. Just ignore these
> > > messages. Once your password has expired these reminder messages will
> > > terminate. If you ever need access again you can update your password
> > > at http://id.usu.edu or contact the Service Desk.
> > >
> > > 2) If you have never attended Utah State University: We may have
> > > assigned you an account in conjunction with a high school concurrent
> > > enrollment course, or even as a result of receiving your SAT/ACT
> > > scores
> > >
> > > from high school. Once your password has expired these reminder
> >
> > > messages will terminate.
> > >
> > > The Information Technology Service Desk can assist you with any
> > > questions you might have.
> > >
> > > Contact us at:
> > > Phone: 797-HELP (4357)
> > > Toll Free: 877-878-8325
> > > Email: servicedesk () usu edu<mailto:servicedesk () usu edu>
> > > Footprints.usu.edu<http://Footprints.usu.edu>  (Issue Tracking
> > > System) [end of message] ____________________________
> > > Bob Bayn        (435)797-2396      Security Team coordinator
> > >              http://tinyurl.com/I-Need-a-Kidney
> > > Office of Information Technology   at  Utah State University
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.



-- 
+-----------------------------------------------------------------+
Walter R. Moore --  Sr. Systems Administrator, Eckerd College
moorewr () eckerd edu --  http://home.eckerd.edu/~moorewr

"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)

I'm on twitter: http://twitter.com/moorewreckerd

***Reminder! ITS will never ask you to e-mail your password!***