Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Wed, 16 Apr 2014 14:35:58 -0500
For most accounts, we went to a minimum 15-character passphrase with a one-year expiration about a year ago (implemented in a staggered fashion over roughly a 90-day period). So far, so good. There was the expected initial grumbling about "15!! characters?!?", but once the annual expiration (vs. 90 and 180 days for different classes of users) was absorbed, things have settled. We'll see if the initial renewal period generates new problems, but so far it's been smooth. - ken On 4/16/14, 2:24 PM, McClenon, Brady wrote:
I’d be curious how this works out. I’m guessing requiring a 14 character password is going cut down a lot of password reuse on other sites. They’ll want a shorter one for other sites. J Not that I oppose a 14 character password. I’m just commenting on my perception of the behavior of others… *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Ben Marsden *Sent:* Wednesday, April 16, 2014 1:58 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Password change *recommended* -- RESULTS? Hi all, First, the direct answer to the question : I sent a mass email recommending a pwd change at 3:39pm on Friday (later than I'd hoped, another story). Between then and midnight Monday - which I think is a good window for direct response to this message -- we had 674 people change their passwords, or roughly 15% of the total user population. I think that's a decent number... On the more general questions raised since : we recently changed our password policy to require more secure passwords (we're now at 14 character minimum, the stick), but we no long expire them (the carrot). As part of this change, we tried hard to drive home two key awareness responsibilities to our users : () do NOT share your account access with anyone -- including your parents, and () do NOT use your Smith password for *any other* account you may have. Non-expiring pwds is a risk trade-off, along with many factors, but in general, I'm OK with this policy. So, yes, I now take moments like this to actively remind people to voluntarily change their passwords. And yes, I'd love to move away from passwords as the sole guardian to user identity authentication, especially as we expand the use of SSO and cloud-based services... hope this helps, -- Ben ============================================ Ben Marsden : Information Security Director, CISSP/GISP ITS, Stoddard Hall, Smith College, Northampton, MA 01063 bmarsden [at] smith [.] edu 413 [.] 585 [.] 4479 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent! On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal <Krystal.Pedersen () umassmed edu <mailto:Krystal.Pedersen () umassmed edu>> wrote: Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password change, with instructions on how to change your password, less than 1% of passwords were actually changed? Thanks! Krystal Pedersen, CISA Information Technology <http://inside.umassmed.edu/is/index.aspx> Information Security, Risk & Compliance Analyst krystal.pedersen () umassmed edu <mailto:krystal.pedersen () umassmed edu>
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ben Marsden (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 23)
- Re: Password change *recommended* -- RESULTS? Thomas Carter (Apr 23)
- Re: Password change *recommended* -- RESULTS? Ben Marsden (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 23)
(Thread continues...)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 16)