Re: Password Management Policy & Standards

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Hi Carlos,
In case it is of any use, the Information Security Guide has a couple of paragraphs on password management, cleverly 
titled, “To Change or Not to Change? How Often?”  You might find those paragraphs useful, as they sum up many of the 
arguments already shared here.

The link is: https://spaces.internet2.edu/display/2014infosecurityguide/Access+Control

I would say you need to scroll about half way down this page to get to the password management discussion.

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of IT GRC and Cybersecurity Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu<mailto:jgrama () educause edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Von Welch
Sent: Thursday, February 25, 2016 8:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

+1 to Scott's comment.

Compliance is the best argument for password expiration. I don't believe any risk-based argument holds up when one 
considers usability costs and the best arguments I've heard I believe are better addressed by locking inactive accounts 
rather than expiring passwords.

Von


On Wed, Feb 24, 2016 at 7:26 PM Bradner, Scott <sob () harvard edu<mailto:sob () harvard edu>> wrote:
you should review
Gene Spaford’s Security Myths and Passwords
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
and Passwords and Myth
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

Scott

> On Feb 24, 2016, at 7:19 PM, Carlos Lobato <clobato () NMSU EDU<mailto:clobato () NMSU EDU>> wrote:
>
> Hello Colleagues,
>
> I'm working on promoting institutional compliance with our current password policy, which requires regular password 
> changes every 120 days for all accounts.
>
> However, I would like to know if some of you have created a table or matrix listing all of your type of accounts and 
> if password expiration dates vary depending on the type of account, which would be based on risk.
>
> If you have a listing, I would highly appreciate a link or a copy to your document.  I am using various resources 
> including the NIST SP 800-118 and I can share with the group after I finish my analysis and potentially re-write our 
> current NMSU password policy to make more realistic.
>
> Thank you so much for any input that you may have.
>
> Carlos,
>
> Carlos S. Lobato, CISA, CISSP, CPA
> IT Compliance Officer
>
> New Mexico State University
> Information and Communication Technologies
> MSC 3AT PO Box 30001
> Las Cruces, NM  88003
>
> Phone (575) 646-5902
> Fax (575) 646-5278