Re: Student Passwords

[Steven Alexander <alexander.s () MCCD EDU>]

Our requirements:

8 characters minimum
1 upper case character minimum
1 lower case minimum
1 number minimum
1 special character minimum
Expires after 180 days (this was temporarily disabled)

Students can use a self-service password reset that requires the answers to five security questions that they choose.  
In practice, I don't think this helps.  We manually do a few thousand password resets every year because students 
forget their passwords and their security questions (we only have about 10k students).  I think our requirements are 
overly picky; we'd be better off requiring longer passwords with less complexity per character so that we could 
encourage students to use passphrases.  Many of our students only use their accounts a few times a semester and this 
makes it easy for them to forget their passwords.  Also, many of our students have a hard time picking a password that 
will meet the complexity requirements and this has led to our helpdesk staff giving advice like "Put a name a year and 
a star, for example: Name1928*" which completely defeats the purpose of requiring complex passwords in the first place.

The whole process is currently a big security hole.  We have to process so many resets that it would be impossible for 
us to carefully scrutinize every request for a password reset or to make everyone show up in person with ID.

We switched from our previous requirements, which were much more lax, to these with no notice and very little 
discussion--it went from idea to implementation while I was on vacation last year...  It hasn't worked out very well 
for us.  For anyone considering a change, please initiate some local discussion before you do anything.  Consider what 
you're trying to accomplish and how the proposed changes will actually accomplish it.  Don't rush into something 
without considering the impact of the changes and preparing to handle the support/education that comes with it.

Best regards,

Steven Alexander Jr.
Online Education Systems Manager
Merced College
3600 M Street
Merced, CA 95348-2898
(209) 384-6191
alexander.s () mccd edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel 
Bennett
Sent: Tuesday, December 06, 2011 8:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Student Passwords

This has gone around a few times in the past but I am looking for fresh results.

What is your stance on student passwords?  Do you make them change their password every X number of days?  Complexity 
rules? Etc.

Thanks.

This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.