Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 24 Sep 2010 09:20:25 -0400
Hi Barb, Here are a few articles on the subject .. you may discover that I'm on the other side of this argument :-) Please note that I didn't write any of these :-) <http://isc.sans.org/diary.html?storyid=7510> <http://blogs.sepago.de/helge/2009/06/22/how-forcing-password-changes-actually-weakens-security/> <http://ha.ckers.org/blog/20060605/security-policies-weakens-passwords/> Not exactly on topic, but interesting <http://blog.isc2.org/isc2_blog/2008/09/password-reset.html> Interesting discussion on the topic <http://www.reddit.com/r/programming/comments/85d4c/ask_proggit_does_enforcing_a_password_change/> Nice article on why lockout is a bad idea <http://shermansolutionsllc.com/secmusings/topics/unconventional-wisdom> <http://essays.hexapodia.net/security/passwords.html> <http://all.net/journal/netsec/1997-09.html> <http://blogs.sepago.de/helge/2009/06/22/how-forcing-password-changes-actually-weakens-security/> Enjoy! Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Friday, September 24, 2010 8:28 AM -0400 Barbara Deschapelles <deschapellesb () CLARKSTATE EDU> wrote:
We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-) Thanks for your help. I'll be glad to summarize for the group if there is interest in that. Barb Deschapelles Executive Director Information Technology Clark State Community College 570 East Leffel Lane PO Box 570 Springfield, OH 45501-0570 Phone: 937 328-6144 Think before you print - save a tree.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy Conor McGrath (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy charlie derr (Sep 24)
- Re: Current Best Practice regarding Password Change policy randy marchany (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)