Educause Security Discussion mailing list archives

Re: Password Standards

From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 3 Sep 2014 21:15:58 +0000

Many of the responses, the password policy pages particularly, were quite
similar with only a few notable, but slight differences.  I only saw a couple
that mentioned how passwords were to be stored by developers and only
with the vague notion of "encryption".  More guidelines for internal
developers or third parties might be nice.
Specifically, detail tools and methods for using and storing a hash and salt,
syadmins performing password crack audits and so on.


John - Speaking for myself, I was just trying to answer the original question.  The larger question you now pose is 
likely also covered in the mountain of polices most of us have.  As a sample, I give you:

http://www.it.northwestern.edu/policies/softwareauth.html
http://www.it.northwestern.edu/policies/bid.html
http://www.it.northwestern.edu/policies/dataencryption.html

A little dorking on our various websites may yield similar results.

Current thread:

Re: Password Standards, (continued)
- Re: Password Standards Ken Connelly (Sep 02)
  - Re: Password Standards Mally Mclane (Sep 03)
    - Re: Password Standards Shamblin, Quinn (Sep 03)
- Re: Password Standards Ben Woelk (Sep 02)
- Re: Password Standards Roger A Safian (Sep 02)
- Re: Password Standards Stephen C. Gay (Sep 02)
- Re: Password Standards Greene, Allen (Sep 02)
  - Re: Password Standards Carson, Larry (Sep 02)
- Re: Password Standards Tim Faircloth (Sep 03)
- Re: Password Standards John Kristoff (Sep 03)
  - Re: Password Standards Roger A Safian (Sep 03)
- Re: Password Standards Shane, Annie (Sep 03)