Re: Current Best Practice regarding Password Change policy

["John C. Gale" <john_gale () UNCG EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did not mean to present myself as a HIPAA authority (I only have as
much understanding as the next guy who reads the laws, guidelines, and
standards).  What I meant to communicate previously is that various
local compliance needs would likely force a 90 day value on the Clark
State campus which would render the frequency complaints at the
institution irrelevant.

The short-ish answer for HIPAA is that the "90 days" figure I posted
came from a search on something like "hipaa change password every" on
google.  I found a few software vendors who had a product for handling
medical records who listed this value in their product as meeting HIPAA
compliance.

My own industry experience with HIPAA (and PCI) is that it is often a
question of what people get sued over and what doesn't get flagged on
the resulting independent audit.  What doesn't get flagged is then
"approved" (by virtue only of not being "denied").  So, seeing several
software vendors settling on this value led me to post it.  So, while
not an absolute, it is a value being deployed in the industry (which
seems to be common and reasonable)

I think you are correct and that the HIPAA guidelines don't give a
specific expiration in the compliance specification (I did not find
anything more specific when looking again just now).

As to PCI, the PCI-DSS v1.2 (section 8.5.9) states "Change user
passwords at least every 90 days".

In my experience, compliance needs seem to shake out at about 90 days,
but the moral of this story, is to consult your compliance officer and
follow local policies (and not to blindly follow yours truly).  :^)

Cheers

John


On 09/24/2010 03:38 PM, Myers, Julie wrote:
> John
>
> I was reading your response to this email string and was wondering where in the HIPAA standard it states that 
> password change of 90 days is required.  I know PCI standard is strict but our HIPAA privacy officer states that 
> HIPAA does not specify frequency.  Any information you could provide would be helpful. 
>
> Thank you, 
>
> Julie Myers 
> Chief Information Security Officer 
> University of  Rochester - University IT
> julie.myers () rochester edu  
> p: 585.273.1804  c: 585.208.0939  
>  Think twice before you print
>  CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
> information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
> sender and delete this email from your system. Thank you.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
> C. Gale
> Sent: Friday, September 24, 2010 9:36 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy
>
> HIPAA and PCI both require a password change every 90 days.  So, you
> might not have a choice on the interval.
>
> Effective passwords rely almost entirely on full user participation.
>
> Don't:
> ...write it down
> ...log in to resources on untrusted machines
> ...use the same password everywhere (email, social networking, im, etc).
> ...just increment the password when it "changes" (monkey1...2...3)
>
> Five years from now when my password is "monkey21" is it any better or
> any worse than it is today at "monkey1"?  One could argue it is about
> the same, but the predictability makes it absurdly weak if any actual
> intelligence is applied to guessing (or if samples of previous passwords
> exist).
>
> So, the issue of actual security might be largely moot since users
> can/will create bad "unique" passwords.
>
> This is not to suggest an argumentum ad numerum.  I think it still a
> defensible practice to ban previous passwords and one you should pursue.
>  Not doing so pretty much defeats the purpose of changing your password
> every 90 days and I would not want to be the one in front of the judge
> when that compliance case was being heard.
>
> I never reuse my passwords, so I haven't bumped into it locally.
> However, on our campus it is either "never" or a password history not
> allowing repeats of the last 12 (or something reasonably high because
> most people can't remember the password they want to go back to whenever
> they finally have the option here).
>
> Ensuring effective access controls, of course, may most effectively rely
> on measures outside of passwords, but that is another story.
>
> Cheers
>
> John
>
> > We currently require all, Students, Faculty and Staff, to change
> > passwords every 90 days and we are enforcing unique passwords (no
> > repeats). This is a relatively new requirement here and we are
> > getting a lot of push back on the change.  I'd like to get a feel for
> > what people accept as current best practice for password change
> > intervals and other related policies, and also, if it is different
> > than the best practice what people are actually doing (if you wish to
> > share that :-)

- -- 
O, it is excellent
To have a giant's strength; but it is tyrannous
To use it like a giant.
                -- Shakespeare, "Measure for Measure", II, 2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkydGZYACgkQu0CHnE2bx843kQCeOYLJr/Xs9ZT4AU1sypGdENUG
Vs4An1OrBm+2vQ5itwV4bDfRQpTxMFRf
=LPYw
-----END PGP SIGNATURE-----