Re: Password change *recommended* -- RESULTS?

[Ken Connelly <Ken.Connelly () UNI EDU>]

For most accounts, we went to a minimum 15-character passphrase with a
one-year expiration about a year ago (implemented in a staggered fashion
over roughly a 90-day period).  So far, so good.  There was the expected
initial grumbling about "15!! characters?!?", but once the annual
expiration (vs. 90 and 180 days for different classes of users) was
absorbed, things have settled.  We'll see if the initial renewal period
generates new problems, but so far it's been smooth.

- ken

On 4/16/14, 2:24 PM, McClenon, Brady wrote:
> I’d be curious how this works out.  I’m guessing requiring a 14
> character password is going cut down a lot of password reuse on other
> sites.  They’ll want a shorter one for other sites. J
>
>  
>
> Not that I oppose a 14 character password.  I’m just commenting on my
> perception of the behavior of others…
>
>  
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Ben Marsden
> *Sent:* Wednesday, April 16, 2014 1:58 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Password change *recommended* -- RESULTS?
>
>  
>
> Hi all,  First, the direct answer to the question : I sent a mass
> email recommending a pwd change at 3:39pm on Friday (later than I'd
> hoped, another story).  Between then and midnight Monday - which I
> think is a good window for direct response to this message -- we had
> 674 people change their passwords, or roughly 15% of the total user
> population. I think that's a decent number...
>
>  
>
> On the more general questions raised since :  we recently changed our
> password policy to require more secure passwords (we're now at 14
> character minimum, the stick), but we no long expire them (the
> carrot).  As part of this change, we tried hard to drive home two key
> awareness responsibilities to our users : () do NOT share your account
> access with anyone -- including your parents,  and () do NOT use your
> Smith password for *any other* account you may have.   Non-expiring
> pwds is a risk trade-off, along with many factors, but in general, I'm
> OK with this policy.  
>
>  
>
> So, yes, I now take moments like this to actively remind people to
> voluntarily change their passwords.
>
>  
>
> And yes, I'd love to move away from passwords as the sole guardian to
> user identity authentication, especially as we expand the use of SSO
> and cloud-based services...
>
>  
>
> hope this helps,
>
>  
>
> -- Ben
>
>
>  
>
> ============================================
> Ben Marsden : Information Security Director, CISSP/GISP
> ITS, Stoddard Hall, Smith College, Northampton, MA 01063
> bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
> ---------------------------------------------------------------------
>
> =--> Any request to reveal your Smith password via email is fraudulent!
>
>  
>
>  
>
> On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal
> <Krystal.Pedersen () umassmed edu <mailto:Krystal.Pedersen () umassmed edu>>
> wrote:
>
>     Hello Everyone – I was looking to get an idea as to how successful
>     a recommended password change broadcast is (to the entire school
>     population)? Perhaps a percentage, such as -- last time we sent a
>     broadcast out recommended a password change, with instructions on
>     how to change your password, less than 1% of passwords were
>     actually changed?
>
>      
>
>     Thanks!
>
>      
>
>     Krystal Pedersen, CISA
>
>     Information Technology 
> <https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=yppbvsV1vRTy%2FrjhLIIxm488RCwdY6q%2B9kaVJLSs%2B%2F0%3D%0A&m=fT5nRffGIDkZNGtpxFUd5dFVpJCcQhRFxlj4k%2BrAaTg%3D%0A&s=9e20eb72c435d83ba24c7a88adb5113262f519367c72bb0a963d42a3f6f11e7e>
>
>     Information Security, Risk & Compliance Analyst
>
>     krystal.pedersen () umassmed edu <mailto:krystal.pedersen () umassmed edu>
>
>  

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!