Re: Current Best Practice regarding Password Change policy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

I'd suggest that password aging should be based on the risk that somebody
could obtain, and crack, the password hashes.  It's not a 
black and white issue, regardless of what the Auditors, Spaf, or I say about
it.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Friday, September 24, 2010 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Current Best Practice regarding Password Change
policy

On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:

> We currently require all, Students, Faculty and Staff, to change 
> passwords every 90 days and we are enforcing unique passwords (no 
> repeats). This is a relatively new requirement here and we are getting 
> a lot of push back on the change.  I'd like to get a feel for what 
> people accept as current best practice for password change intervals 
> and other related policies, and also, if it is different than the best 
> practice what people are actually doing (if you wish to share that :-)

There's "what everybody is doing because auditors insist" and "what actually
makes sense in today's computing environment".  Make sure to read what Gene
Spafford wrote about it:

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

(Anybody want to publicly admit they were able to sell the auditors on what
Spaf said, and managed to eliminate mandatory changes?)