Educause Security Discussion mailing list archives
Re: Password Management Policy & Standards
From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Mon, 29 Feb 2016 09:12:58 +1300
I always challenge auditors on forced password changes and ask where this requirement comes from. One helpful auditor stated that the requirement came from the New Zealand government security standard, which has some relevance for us.
I checked the standard and found this control was only mandatory for secret and top secret data. When I pointed this out to the auditor we were both happy. She had made the statement and I had stated why we were not going to apply that control.
We now have a written position on forced password changes that we give auditors on day one so that they can focus on important things.
Mark On 27/02/2016 1:38 a.m., David Sheryn wrote:
There is an interesting, if somewhat dated paper, by Ross Anderson, Professor of Security Engineering at Cambridge University (http://www.cl.cam.ac.uk/~rja14/ https://www.lightbluetouchpaper.org/ ), reporting on the results of some empirical research to try and establish how much password 'folklore' was actually true (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf). I believe that as a result, he successfully challenged the University's auditors insistence on frequent password changes. IIRC, when asked what the basis they had for insisting on this, the only response that the auditors could come up with was "Head Office says so"... Regards
-- Mark Borrie Information Security Manager, Information Technology Services, University of Otago, Dunedin 9054, N.Z. Ph +64 3 479-8395, Fax +64 3 479-8813 Email: mark.borrie () otago ac nz
Current thread:
- Password Management Policy & Standards Carlos Lobato (Feb 24)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- Re: Password Management Policy & Standards Joanna Grama (Feb 25)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- <Possible follow-ups>
- Re: Password Management Policy & Standards Mark I. Berman (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Mark Borrie (Feb 28)
- Re: Password Management Policy & Standards Joanna Grama (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)