Educause Security Discussion mailing list archives
Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification
From: Walter Moore <moorewr () ECKERD EDU>
Date: Thu, 19 Aug 2010 10:18:06 -0400
(new list member here, jumping in) Password aging is something we are asked to do for compliance with PCI and is a recommendation in our finance audits. We also note that it does decrease the overwhelming tendency users have of using the same password for their work e-mail as they do for facebook and other such sites. I agree that a 15-character passphrase has to be written down somewhere.. so if that's your policy it needs to be coupled with some kind of password vault or self-recovery process... which often includes e-mailing a temporary password or asking for information that is less secure than the actual password. On Thu, Aug 19, 2010 at 10:10 AM, SCHALIP, MICHAEL <mschalip () cnm edu> wrote:
We currently require 15 character passwords and it's becoming somewhat of a fiasco - calls to the Service Desk for password resets have gone through the roof. You can call them "passphrases" all you want, but I'm becoming convinced that the human mind is just not wired to follow along. What we've also seen is that students could remember the shorter passwords - but they've taken to writing the 15-char passwords down a LOT more - we know, because we're finding them laying all over the place. And I'm not sure that never requiring a password change - regardless of whether it's 6 char or 20 char - is such a great idea..... -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe Sent: Thursday, August 19, 2010 8:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Wouldn't it be easier to just require 15 or 20 character passphrases and never have them expire? (Two factor would be nice but not financially sound for the whole campus right now.) It would seem that it might not be too hard of a sell with the -- Never have to change it again.. angle. And passphrases are easier to type than the random crazy passwords.. Mark On 8/19/2010 8:56 AM, Ullman, Catherine wrote:James, I would whole-heartedly agree to your statement about providing emails from IT WITHOUT links, but rather reference a known web site by name. I think it makes education and reinforcement of not clicking on links much easier when IT never sends out links either. :-) I expressed this sentiment just before a recent round of emails were sent regarding password changes only to be informed that it would be "too difficult" for the users to do and thus they wouldn't bother to change their passwords. While I understand that the password change is critical, I think sending links is today a greater risk because it encourages bad behavior on the part of the user. I will be interested to see what others out there have to say. Best, Cathy Catherine J. Ullman Information Security Analyst Information Security Office University at Buffalo cende () buffalo edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Sent: Thursday, August 19, 2010 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification We also send our users messages like this. However I'm concerned that it would take very little effort to copy the content, spoof the from address and href the links so they look genuine but take them to a random web server which is setup with a copy of our real passwordmanagement system.For this reason I think we shouldn't provide links in emails that ask a user to login to anything, but should advise they visit our main webpage (i.e.type it in themselves) and we give them a link off that. We can then also tag on to "we never ask for your password" that "we never link to pages that ask for your password". Has anyone else tackled this particularly? Cheers James-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn Sent: Tuesday, August 17, 2010 10:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expatriation notification And we also send out an email notice 14 days before expiration, and again more frequently as the expiration approaches. We have a single enterprise credential for authentication to many systems, including email. We try to make our notification not-phish-like but still get a few inquiries as to the validity of the message. I usually congratulate those paranoid souls. At least it's better than believingeverything.;-) Our message says: Firstname Lastname [UniversityID#], Our system indicates that you have not changed your password since [Month day, year]. Please take a few minutes to change your password and review your challenge questions by going to http://password.usu.edu before [date 6 months later]. If you do not change your password by [the latter date], you may experience interruption of service on Utah State University systems. You will still be able to log in at http://id.usu.edu and make your password change after that date. You may also be temporarily receiving this message: 1) If you no longer attend Utah State University: You may not be interested in maintaining your password with us. Just ignore these messages. Once your password has expired these reminder messages will terminate. If you ever need access again you can update your password at http://id.usu.edu or contact the Service Desk. 2) If you have never attended Utah State University: We may have assigned you an account in conjunction with a high school concurrent enrollment course, or even as a result of receiving your SAT/ACT scores from high school. Once your password has expired these remindermessages will terminate. The Information Technology Service Desk can assist you with any questions you might have. Contact us at: Phone: 797-HELP (4357) Toll Free: 877-878-8325 Email: servicedesk () usu edu<mailto:servicedesk () usu edu> Footprints.usu.edu<http://Footprints.usu.edu> (Issue Tracking System) [end of message] ____________________________ Bob Bayn (435)797-2396 Security Team coordinator http://tinyurl.com/I-Need-a-Kidney Office of Information Technology at Utah State University-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- +-----------------------------------------------------------------+ Walter R. Moore -- Sr. Systems Administrator, Eckerd College moorewr () eckerd edu -- http://home.eckerd.edu/~moorewr "It was glorious to see -- if your heart were iron, And you could keep from grieving at all the pain" - The Iliad (13.355) I'm on twitter: http://twitter.com/moorewreckerd ***Reminder! ITS will never ask you to e-mail your password!***
Current thread:
- Re: University credentials used by third parties, (continued)
- Re: University credentials used by third parties Pete Hickey (Aug 17)
- Re: University credentials used by third parties Valdis Kletnieks (Aug 17)
- Password Expatriation notification James Farr '05 (Aug 17)
- Re: Password Expatriation notification Ken Connelly (Aug 17)
- Re: Password Expatriation notification Kieper, David (Aug 17)
- Re: Password Expatriation notification Bob Bayn (Aug 17)
- Re: Password Expatriation notification James (Aug 19)
- Re: Password Expatriation notification Ullman, Catherine (Aug 19)
- Re: Password Expatriation notification Mark Monroe (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Walter Moore (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Valdis Kletnieks (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Charles Buchholtz (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Valdis Kletnieks (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Charles Buchholtz (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Eric Case (Aug 19)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Password Expatriation notification Deke Kassabian (Aug 19)
- Re: Password Expatriation notification Alex Keller (Aug 19)
- Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
- Re: Password Expatriation notification Charles Buchholtz (Aug 19)
- Re: Password Expatriation notification Eric Case (Aug 19)