Re: Password change *recommended* -- RESULTS?

[Mally Mclane <mally.mclane () BRISTOL AC UK>]

I never really get long passwords and don't think it cuts down on reuse.
England12345 on one site will just become England12 on another site.

There doesn't seem to be an easy solution though.... 2FA (if enforced)
annoys people, complex or lengthy passwords get written down.....

Ho hum.
On 16 Apr 2014 20:24, "McClenon, Brady" <Brady.McClenon () oneonta edu> wrote:

>  I'd be curious how this works out.  I'm guessing requiring a 14
> character password is going cut down a lot of password reuse on other
> sites.  They'll want a shorter one for other sites. J
>
>
>
> Not that I oppose a 14 character password.  I'm just commenting on my
> perception of the behavior of others...
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Ben Marsden
> *Sent:* Wednesday, April 16, 2014 1:58 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Password change *recommended* -- RESULTS?
>
>
>
> Hi all,  First, the direct answer to the question : I sent a mass email
> recommending a pwd change at 3:39pm on Friday (later than I'd hoped,
> another story).  Between then and midnight Monday - which I think is a good
> window for direct response to this message -- we had 674 people change
> their passwords, or roughly 15% of the total user population. I think
> that's a decent number...
>
>
>
> On the more general questions raised since :  we recently changed our
> password policy to require more secure passwords (we're now at 14 character
> minimum, the stick), but we no long expire them (the carrot).  As part of
> this change, we tried hard to drive home two key awareness responsibilities
> to our users : () do NOT share your account access with anyone -- including
> your parents,  and () do NOT use your Smith password for *any other*
> account you may have.   Non-expiring pwds is a risk trade-off, along with
> many factors, but in general, I'm OK with this policy.
>
>
>
> So, yes, I now take moments like this to actively remind people to
> voluntarily change their passwords.
>
>
>
> And yes, I'd love to move away from passwords as the sole guardian to user
> identity authentication, especially as we expand the use of SSO and
> cloud-based services...
>
>
>
> hope this helps,
>
>
>
> -- Ben
>
>
>
>
> ============================================
> Ben Marsden : Information Security Director, CISSP/GISP
> ITS, Stoddard Hall, Smith College, Northampton, MA 01063
> bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
> ---------------------------------------------------------------------
>
> =--> Any request to reveal your Smith password via email is fraudulent!
>
>
>
>
>
> On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal <
> Krystal.Pedersen () umassmed edu> wrote:
>
>  Hello Everyone - I was looking to get an idea as to how successful a
> recommended password change broadcast is (to the entire school population)?
> Perhaps a percentage, such as -- last time we sent a broadcast out
> recommended a password change, with instructions on how to change your
> password, less than 1% of passwords were actually changed?
>
>
>
> Thanks!
>
>
>
> Krystal Pedersen, CISA
>
> Information Technology <http://inside.umassmed.edu/is/index.aspx>
>
> Information Security, Risk & Compliance Analyst
>
> krystal.pedersen () umassmed edu