Re: Current Best Practice regarding Password Change policy

[Jack Reardon <jack.reardon () WORCESTER EDU>]

At our university our students have single signon to their email/LMS/money
on their onecard.  We view security to these accounts comparable to security
to an employee account.  It may seem severe, but we are shooting for
protection.  We are also educating students for security in the professional
world and for their important personal accounts.
Jack Reardon
Associate Director, Infrastructure Services
Worcester State University


On Fri, Sep 24, 2010 at 1:51 PM, John Ladwig <John.Ladwig () csu mnscu edu>wrote:

> Such tailoring gets complicated, though.
>
> "It's just a student account" design considerations could get awfully stale
> awfully quickly if some enterprising business and IT project turns a big
> paper process with hand-keying of financial accounts for students into an
> internet-facing "self-service" student web application.
>
> There is still the matter of degree and volume of sensitive-data access,
> but the slope can get pretty slippy.  This is why we need good links between
> infosec, business analysts, and identity leads and architects.
>
> Internal LOA maintenance and consumption use cases have been coming to me
> far faster and with more significance than I'd have expected a few years ago
> when it was introduced to me in the context of external federation
> scenarios.
>
>   -jml
>
>
> > > > "Koski, David" <dkoski () UMICH EDU> 2010-09-24 10:24 >>>
>  Agreed.  This all goes back to the basics of understanding you're users,
> access controls, and proper data classification.  You can definitely make
> one size fit all with a lot of screaming and heartache, but if you properly
> understand your users, access levels and data, then you should properly
> quantify the risk involved.
>
> In my opinion, security should be tailored to have the least impact on the
> user but properly fits the risk.  In most cases, this isn't a one size fits
> all particularly in large organizations with many roles.  Sure, there should
> be a minimum standard to keep users from choosing horrible horrible
> passwords (We all know they do anyways), but a student doesn't necessarily
> need to have the same password change requirements as someone working with
> financial information.  Otherwise you tend to cost the organization more
> money in the end than the risk your were trying to mitigate to begin with.
>
>        David
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz
> Sent: Friday, September 24, 2010 11:09 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Current Best Practice regarding Password Change
> policy
>
>  I concur.
>
> What is missing from most of these types of threads is what information
> we are trying to protect and why.  It is not a one size fits all
> solution.  Everyone here is pushing for the MAXIMUM policy to apply for
> all, which may not be the best solution.
>
> In my experience, Auditors are mostly focused on potential Financial
> abuse.  That does not mean that all password policies must be the same.
>
> For example, an Adult student who takes a course every other year, do
> they really need to change their passwords every 90 days?  If you enable
> such a policy, your helpdesk will be swamped with calls to reset
> accounts unused for months to years, with little security gain IMO.  Is
> that little added security worth the frustration to your students and
> the increased helpdesk costs?
>
> For Administrative Staff and Faculty accessing administrative systems, a
> 90 day password change policy is proper.  These are the people who could
> potentially view, and/or alter records to transfer money for personal
> gain, or lookup user sensitive information for abuse.
>
> In other words, I believe password policies should be examined and
> determined by the type of user who can access sensitive information
> rather than a globally defined policy.  I am sure others will disagree...
>
>
> On 9/24/10 10:31 AM, Roger Safian wrote:
> > I'd suggest that password aging should be based on the risk that somebody
> > could obtain, and crack, the password hashes.  It's not a
> > black and white issue, regardless of what the Auditors, Spaf, or I say
> about
> > it.
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> > Sent: Friday, September 24, 2010 7:53 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Current Best Practice regarding Password Change
> > policy
> >
> > On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:
> >
> > > We currently require all, Students, Faculty and Staff, to change
> > > passwords every 90 days and we are enforcing unique passwords (no
> > > repeats). This is a relatively new requirement here and we are getting
> > > a lot of push back on the change.  I'd like to get a feel for what
> > > people accept as current best practice for password change intervals
> > > and other related policies, and also, if it is different than the best
> > > practice what people are actually doing (if you wish to share that :-)
> > There's "what everybody is doing because auditors insist" and "what
> actually
> > makes sense in today's computing environment".  Make sure to read what
> Gene
> > Spafford wrote about it:
> >
> > http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
> > http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/
> >
> > (Anybody want to publicly admit they were able to sell the auditors on
> what
> > Spaf said, and managed to eliminate mandatory changes?)