Re: Current Best Practice regarding Password Change policy

["Koski, David" <dkoski () UMICH EDU>]

Agreed.  This all goes back to the basics of understanding you're users, access controls, and proper data 
classification.  You can definitely make one size fit all with a lot of screaming and heartache, but if you properly 
understand your users, access levels and data, then you should properly quantify the risk involved.  

In my opinion, security should be tailored to have the least impact on the user but properly fits the risk.  In most 
cases, this isn't a one size fits all particularly in large organizations with many roles.  Sure, there should be a 
minimum standard to keep users from choosing horrible horrible passwords (We all know they do anyways), but a student 
doesn't necessarily need to have the same password change requirements as someone working with financial information.  
Otherwise you tend to cost the organization more money in the end than the risk your were trying to mitigate to begin 
with.

        David

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave 
Koontz
Sent: Friday, September 24, 2010 11:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy

 I concur. 

What is missing from most of these types of threads is what information
we are trying to protect and why.  It is not a one size fits all
solution.  Everyone here is pushing for the MAXIMUM policy to apply for
all, which may not be the best solution.

In my experience, Auditors are mostly focused on potential Financial
abuse.  That does not mean that all password policies must be the same.

For example, an Adult student who takes a course every other year, do
they really need to change their passwords every 90 days?  If you enable
such a policy, your helpdesk will be swamped with calls to reset
accounts unused for months to years, with little security gain IMO.  Is
that little added security worth the frustration to your students and
the increased helpdesk costs?

For Administrative Staff and Faculty accessing administrative systems, a
90 day password change policy is proper.  These are the people who could
potentially view, and/or alter records to transfer money for personal
gain, or lookup user sensitive information for abuse.

In other words, I believe password policies should be examined and
determined by the type of user who can access sensitive information
rather than a globally defined policy.  I am sure others will disagree...


On 9/24/10 10:31 AM, Roger Safian wrote:
> I'd suggest that password aging should be based on the risk that somebody
> could obtain, and crack, the password hashes.  It's not a 
> black and white issue, regardless of what the Auditors, Spaf, or I say about
> it.
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Friday, September 24, 2010 7:53 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Current Best Practice regarding Password Change
> policy
>
> On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:
>
> > We currently require all, Students, Faculty and Staff, to change 
> > passwords every 90 days and we are enforcing unique passwords (no 
> > repeats). This is a relatively new requirement here and we are getting 
> > a lot of push back on the change.  I'd like to get a feel for what 
> > people accept as current best practice for password change intervals 
> > and other related policies, and also, if it is different than the best 
> > practice what people are actually doing (if you wish to share that :-)
> There's "what everybody is doing because auditors insist" and "what actually
> makes sense in today's computing environment".  Make sure to read what Gene
> Spafford wrote about it:
>
> http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
> http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/
>
> (Anybody want to publicly admit they were able to sell the auditors on what
> Spaf said, and managed to eliminate mandatory changes?)