Re: password length and required reset

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

Compromise of the accounts you mention primarily affect the data and services 
of the owner of the account. That is, they're self-service accounts.

Compromise of a faculty or staff account would almost certainly provide 
unauthorized access to constituent data, institutional data, and/or the 
ability to affect constituent services.

I would guess that the authentication policies for the employees of the 
organizations you listed are different than the policies that apply to their 
customers. At least I'd hope so. :)

Gary Flynn
Security Engineer
James Madison University

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike
> Cunningham
> Sent: Monday, October 10, 2016 9:10 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] password length and required reset
>
> Thanks for the feedback.
>
> How do you counter the argument that no other online service that requires
> passwords have any set time limit on a password, and they are sites with
> much more sensitive information. Bank sites, credit card sites, amazon,
> paypal, gmail, yahoo, Hotmail, outlook.com phone companies, Netflix, etc. I
> can't think of any service that I have myself that requires me to change a
> password on a regular basis and that is how students view us, as just 
> another
> online service.  I am 100% in favor of employees needing to reset a password
> since their access gives them access to other peoples data but for students
> they only have access to their own data so password mismanagement only
> puts their own data at risk, just like on any of those other services.
>
> Mike Cunningham
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel
> Sent: Monday, October 10, 2016 8:42 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] password length and required reset
>
> You are correct in thinking that 12 characters will help.  If you run 
> passwords
> through most any analyzer, that 12th character adds a tremendous amount
> of time to the decryption process... but will not help if common phrases,
> titles, and sequences are used.
>
> We recently moved all faculty, staff and service accounts to a 90-day
> password reset cycle, with a history of 6.  We are considering a minimum
> password age of 2 days, but have not implemented that change yet.  We
> recommend the password to be a minimum of 8, but no longer than 13
> characters (any longer and Office365 complains, at least as of August of 
> this
> year) and cannot contain three consecutive characters of their username.  It
> also must have a capital letter and a number or symbol.
>
> It has taken a number of years to push this policy amid lots of grumbling 
> from
> staff and faculty.  We got buy-in from administration by explaining our
> reasons for implementing, we communicated the change effectively to the
> community and so far, have not had significant backlash.  We considered
> having two different policies for staff and faculty, but decided it was in
> everyone's best interest to enforce the stricter policy (whether they
> believed it or not).
>
> Students have all the same requirements except the max age for their
> password is 180 days.  No issues there either, as this is explained at
> orientation.  While it frustrates a tiny percentage, it is an acceptably low
> percentage.
>
> The key is effective communication and simple explanation of the reasons
> why this is important.
>
> Good luck with any changes you make.
>
> Dan
>
>
> Daniel H. Boyd (94C)
> Senior Network Architect
> Network Operations
> Information Security Advisory Group Chair Berry College
> Phone: 706-236-1750
> Fax:     706-238-5824
>
> There are two rules to follow with your account passwords:
> 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
> 2. If unsure, consult rule #1
>
>
>
>
> -----Original Message-----
> From: Mike Cunningham [mailto:mike.cunningham () PCT EDU]
> Sent: Friday, October 07, 2016 3:29 PM
> Subject: password length and required reset
>
> We current have a password length rule of 6 with a password expiration of
> 180 days. We are considering changing that to a length of 12 with a
> recommendation to use a pass phrase, and no expiration. Students can want
> to can change their password daily or never. We believe the longer length
> requirement will make the password so much stronger that the password
> reset is no longer needed. This change is for students ONLY. Employees will
> still have a password recent requirement.
>
> Thanks
>
>
> Mike Cunningham
> VP of Information Technology Services/CIO Pennsylvania College of
> Technology

Attachment: smime.p7s
Description: