Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: James Farr '05 <jfarr () UTICA EDU>
Date: Fri, 24 Sep 2010 11:13:58 -0400
We have also recently instituted a password change policy. Our policy is you must change your password every 120 days. You cannot reuse an old password, you must include special characters. We got a moderate amount of pushback, but it is getting better. There are merits to each of the points both for and against password change timelines. If we abandon password changes or make the time between changes too long are we putting out the wrong message? How important can passwords be if they never change? Unfortunately we know users share passwords with fellow employees (full time, part time, student help). If passwords never changes there may be a number of people who know that password. Finding a middle ground that works for the users and still increases security is the best we can hope for. James Farr Information Security Officer Instructional Technologist Utica College jfarr () utica edu 315-223-2386 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver Sent: Friday, September 24, 2010 10:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy Barb mentioned: #We currently require all, Students, Faculty and Staff, to change passwords #every 90 days and we are enforcing unique passwords (no repeats). This is #a relatively new requirement here and we are getting a lot of push back on #the change. I'd like to get a feel for what people accept as current best #practice for password change intervals and other related policies, and #also, if it is different than the best practice what people are actually #doing (if you wish to share that :-) I think I've previously mentioned this resource, but FWIW, you're welcome to see the password talk I did for the Northwest Academic Computing Consortium a year or so ago: "Passwords" http://darkwing.uoregon.edu/~joe/passwords/passwords.pdf I discuss password changes a bit in section 4 at pages 59-66. Regards, Joe St Sauver (joe () oregon uoregon edu) http://darkwing.uoregon.edu/~joe/
Current thread:
- Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
- Re: Current Best Practice regarding Password Change policy Bob Bayn (Sep 24)
- Re: Current Best Practice regarding Password Change policy Harry E Flowers (flowers) (Sep 24)
- Message not available
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Cal Frye (Sep 24)
- Re: Current Best Practice regarding Password Change policy Hugh Burley (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joe St Sauver (Sep 24)
- Re: Current Best Practice regarding Password Change policy James Farr '05 (Sep 24)
- Re: Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 25)