Re: Current Best Practice regarding Password Change policy

[Jack Reardon <jack.reardon () WORCESTER EDU>]

We use Active Directory complexity.  Here are the other requirements:

- 8 character minimum
- a minimum 3 of the following 5: upper,lower,number, punctuation, special
- change every 90 days
- no part of username in PW
- last 20 PWs can not be repeated
- lockout of 30 minutes if there are 6 failed attempts in a 30 minute period

There was some push back when we implemented these policies.  The resource
we are protecting is valued by the users and they have come to accept the
policy.  We do tend to get the usual references to the Gene Spafford article
on the subject.  That writing does not sway me  or the auditors.  We believe
that people tend to use the same password for many accounts, both personal
and professional.  90 days means an abondoned password is locked after just
90 days.  The state auditors that reviewed our IT policies and procedures
were pleased with our password policy.  I know that does not improve
security, but it does allow us to "pass" the audit and allow us to focus on
security.    Here is the statement we put on our password change screen:

Your password MUST be 8 characters in length and MUST include + 1 upper case
letter + 1 lower case letter + 1 number. Passwords cannot contain any
portion of your username or previous passwords. [NOTE: do NOT use special
characters in your password i.e. <, > ?#$%^&*()!@ etc.]

 Note the warning about special characters.  This is a restriction of our
Blackboard setup.  Some of the special characters do not work with our
Blackboard Community system.

Jack Reardon
Associate Director, Infrastructure Services
Worcester State University


On Fri, Sep 24, 2010 at 8:28 AM, Barbara Deschapelles <
deschapellesb () clarkstate edu> wrote:

> We currently require all, Students, Faculty and Staff, to change passwords
> every 90 days and we are enforcing unique passwords (no repeats). This is a
> relatively new requirement here and we are getting a lot of push back on the
> change.  I'd like to get a feel for what people accept as current best
> practice for password change intervals and other related policies, and also,
> if it is different than the best practice what people are actually doing (if
> you wish to share that :-)
>
> Thanks for your help.  I'll be glad to summarize for the group if there is
> interest in that.
>
>
>
>
> Barb Deschapelles
> Executive Director Information Technology
> Clark State Community College
> 570 East Leffel Lane
> PO Box 570
> Springfield, OH 45501-0570
> Phone: 937 328-6144
>
> Think before you print - save a tree.