Re: Password change *recommended* -- RESULTS?

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

I’d be curious how this works out.  I’m guessing requiring a 14 character password is going cut down a lot of password 
reuse on other sites.  They’ll want a shorter one for other sites. ☺

Not that I oppose a 14 character password.  I’m just commenting on my perception of the behavior of others…


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben 
Marsden
Sent: Wednesday, April 16, 2014 1:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

Hi all,  First, the direct answer to the question : I sent a mass email recommending a pwd change at 3:39pm on Friday 
(later than I'd hoped, another story).  Between then and midnight Monday - which I think is a good window for direct 
response to this message -- we had 674 people change their passwords, or roughly 15% of the total user population. I 
think that's a decent number...

On the more general questions raised since :  we recently changed our password policy to require more secure passwords 
(we're now at 14 character minimum, the stick), but we no long expire them (the carrot).  As part of this change, we 
tried hard to drive home two key awareness responsibilities to our users : () do NOT share your account access with 
anyone -- including your parents,  and () do NOT use your Smith password for *any other* account you may have.   
Non-expiring pwds is a risk trade-off, along with many factors, but in general, I'm OK with this policy.

So, yes, I now take moments like this to actively remind people to voluntarily change their passwords.

And yes, I'd love to move away from passwords as the sole guardian to user identity authentication, especially as we 
expand the use of SSO and cloud-based services...

hope this helps,

-- Ben


============================================
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!


On Wed, Apr 16, 2014 at 8:03 AM, Pedersen, Krystal <Krystal.Pedersen () umassmed edu<mailto:Krystal.Pedersen () 
umassmed edu>> wrote:
Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the 
entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password 
change, with instructions on how to change your password, less than 1% of passwords were actually changed?

Thanks!

Krystal Pedersen, CISA
Information 
Technology<https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=m3a7zui%2BIivnv6HgoEbi9Ak%2BfxH6by%2FnMADg6n%2Broa0%3D%0A&m=uJQYuFsDNP0yVUDGs%2F%2FJje%2FYDNJ4VtuJJcFmEzdcbpc%3D%0A&s=32cb2957ef8d10b9c81002e8f6878079fa5b34b15b8a829a4db301f5e8342d6d>
Information Security, Risk & Compliance Analyst
krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>