Educause Security Discussion mailing list archives

Re: Current Best Practice regarding Password Change policy

From: James Farr '05 <jfarr () UTICA EDU>
Date: Fri, 24 Sep 2010 11:13:58 -0400

We have also recently instituted a password change policy.  Our policy is
you must change your password every 120 days.  You cannot reuse an old
password, you must include special characters.  We got a moderate amount of
pushback, but it is getting better.

There are merits to each of the points both for and against password change
timelines. If we abandon password changes or make the time between changes
too long are we putting out the wrong message? How important can passwords
be if they never change?  Unfortunately we know users share passwords with
fellow employees (full time, part time, student help). If passwords never
changes there may be a number of people who know that password. Finding a
middle ground that works for the users and still increases security is the
best we can hope for.


James Farr
Information Security Officer
Instructional Technologist
Utica College
jfarr () utica edu
315-223-2386


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver
Sent: Friday, September 24, 2010 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Current Best Practice regarding Password Change
policy

Barb mentioned:

#We currently require all, Students, Faculty and Staff, to change passwords
#every 90 days and we are enforcing unique passwords (no repeats). This is
#a relatively new requirement here and we are getting a lot of push back on
#the change.  I'd like to get a feel for what people accept as current best
#practice for password change intervals and other related policies, and
#also, if it is different than the best practice what people are actually
#doing (if you wish to share that :-)

I think I've previously mentioned this resource, but FWIW, you're welcome
to see the password talk I did for the Northwest Academic Computing 
Consortium a year or so ago:

   "Passwords"
   http://darkwing.uoregon.edu/~joe/passwords/passwords.pdf

I discuss password changes a bit in section 4 at pages 59-66.

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://darkwing.uoregon.edu/~joe/

Current thread:

Re: Current Best Practice regarding Password Change policy, (continued)
- - - Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Bob Bayn (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Harry E Flowers (flowers) (Sep 24)
    - Message not available
    - Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Cal Frye (Sep 24)
- Re: Current Best Practice regarding Password Change policy Hugh Burley (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joe St Sauver (Sep 24)
  - Re: Current Best Practice regarding Password Change policy James Farr '05 (Sep 24)
- Re: Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 25)