Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: "Koski, David" <dkoski () UMICH EDU>
Date: Fri, 24 Sep 2010 11:24:46 -0400
Agreed. This all goes back to the basics of understanding you're users, access controls, and proper data classification. You can definitely make one size fit all with a lot of screaming and heartache, but if you properly understand your users, access levels and data, then you should properly quantify the risk involved. In my opinion, security should be tailored to have the least impact on the user but properly fits the risk. In most cases, this isn't a one size fits all particularly in large organizations with many roles. Sure, there should be a minimum standard to keep users from choosing horrible horrible passwords (We all know they do anyways), but a student doesn't necessarily need to have the same password change requirements as someone working with financial information. Otherwise you tend to cost the organization more money in the end than the risk your were trying to mitigate to begin with. David -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz Sent: Friday, September 24, 2010 11:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy I concur. What is missing from most of these types of threads is what information we are trying to protect and why. It is not a one size fits all solution. Everyone here is pushing for the MAXIMUM policy to apply for all, which may not be the best solution. In my experience, Auditors are mostly focused on potential Financial abuse. That does not mean that all password policies must be the same. For example, an Adult student who takes a course every other year, do they really need to change their passwords every 90 days? If you enable such a policy, your helpdesk will be swamped with calls to reset accounts unused for months to years, with little security gain IMO. Is that little added security worth the frustration to your students and the increased helpdesk costs? For Administrative Staff and Faculty accessing administrative systems, a 90 day password change policy is proper. These are the people who could potentially view, and/or alter records to transfer money for personal gain, or lookup user sensitive information for abuse. In other words, I believe password policies should be examined and determined by the type of user who can access sensitive information rather than a globally defined policy. I am sure others will disagree... On 9/24/10 10:31 AM, Roger Safian wrote:
I'd suggest that password aging should be based on the risk that somebody could obtain, and crack, the password hashes. It's not a black and white issue, regardless of what the Auditors, Spaf, or I say about it. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Friday, September 24, 2010 7:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-)There's "what everybody is doing because auditors insist" and "what actually makes sense in today's computing environment". Make sure to read what Gene Spafford wrote about it: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/ (Anybody want to publicly admit they were able to sell the auditors on what Spaf said, and managed to eliminate mandatory changes?)
Current thread:
- Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 24)
- Re: Current Best Practice regarding Password Change policy Greg Washburn (Sep 24)
- Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
- Re: Current Best Practice regarding Password Change policy Scott O. Bradner (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dave Koontz (Sep 24)
- Re: Current Best Practice regarding Password Change policy Koski, David (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)