Educause Security Discussion mailing list archives

Re: password length and required reset

From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Sun, 9 Oct 2016 10:50:34 -0400

Hi Mike,

Some thoughts on password requirements in general:
 - It is common for people to reuse account credentials at multiple sites
that never require a password change (Amazon, Twitter etc)  If one of the
sites get hacked and the credentials get dumped, then that increases the
exposure for your site.  Not to mention the nightmare it creates for the
user.
- While pass phrases are generally more secure, simple/common ones like
"Star Wars VII" are not.  You can find these in most on-line cracking
databases/lists.  Of course, complexity and length are always a trade off
between usability and administrative overhead (resets etc).
- Current technology has made cracking dumped hashes more feasible for your
average bad guy.
- Education can help.  Many users, not all as we know, will listen if you
explain clearly and succinctly why reusing passwords is not in their best
interest.  Suggesting the use of a password vault I feel is also a good
idea.

So my deep thoughts on password's is that you do need a minimum of 8, they
need to be changed (and not just incremented, i.e. password123) and there
should be some complexity.  But as usual, it all depends on what you are
allowed to do or can do in your particular environment.

Nick Garigliano, CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Fri, Oct 7, 2016 at 3:28 PM, Mike Cunningham <mike.cunningham () pct edu>
wrote:

We current have a password length rule of 6 with a password expiration of
180 days. We are considering changing that to a length of 12 with a
recommendation to use a pass phrase, and no expiration. Students can want
to can change their password daily or never. We believe the longer length
requirement will make the password so much stronger that the password reset
is no longer needed. This change is for students ONLY. Employees will still
have a password recent requirement.

Thanks


Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology

Current thread:

password length and required reset Mike Cunningham (Oct 07)
- Re: password length and required reset Nicholas Garigliano (Oct 09)
  - Re: password length and required reset Steven Alexander (Oct 10)
    - Re: password length and required reset Mike Cunningham (Oct 10)
    - Re: password length and required reset Brad Judy (Oct 10)
    - Re: password length and required reset Steven Alexander (Oct 10)
    - Re: password length and required reset Mike Cunningham (Oct 10)
    - Re: password length and required reset Steven Alexander (Oct 10)
    - Re: password length and required reset Justin Store (Oct 11)
    - Re: password length and required reset Adam Maynard (Oct 11)
    - Re: password length and required reset Drews, Jane E (Oct 12)
    - Re: password length and required reset Mike Cunningham (Oct 12)

(Thread continues...)