Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password length and required reset

From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Mon, 10 Oct 2016 14:00:34 +0000
Point taken. We too spend a lot of time and money on password issues.

I've seen several recommendations lately for abolishing password change policies. I think from both Microsoft and even 
NIST. I'd feel a lot more comfortable about the recommendation if:

1) I didn't see constant news reports of tens or hundreds of millions of account credentials being harvested from 
compromised major services. People reuse passwords. Policies have to take that into account or the business is making a 
decision to accept the resulting losses.
2) Phishing wasn't so prevalent a crime and along with it the possibility that the more sophisticated criminals are 
caching compromised credentials for longer periods of time. Not all miscreants are simple spammers.
3) Multi-factor authentication was more universal.

I think you have to look at all the ways compromised student accounts can hurt you and the frequency with which they're 
compromised. If the losses are lower than the losses being incurred enforcing password changes, a business decision to 
accept the alternate losses could be made. Students concerned about their security would always have the option to 
change them periodically if they wished.


Gary Flynn
Security Engineer
James Madison University



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike
Cunningham
Sent: Monday, October 10, 2016 9:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password length and required reset

Very true and I would never propose eliminating password resets for any
employee (employees include all faculty). That is a must. Our current
discussion on password resets is only in the world of students.

We issue students credentials when they apply, which can be a year before
they get on campus. Most will follow the steps to "activate" the account, and
change their default password, but many don’t use the account until they
need to take placement tests or come for summer orientation, and by then
the password has expired and many forget what password they chose, and
oddly enough many also forget the answers to their reset questions. We do
send them multiple warnings via email about their password about to expire
but new students don't seem to check email or they do and don't care. Once
they get past that point and get on campus they use that password for
phone wifi access, tablet wifi access, laptop wifi access, email account setup
on phones and tablets, some game systems with 802.11. Then its time to
reset the password again and they need to change it in all those places again
or end up causing account lockouts when those devices continue to try and
authenticate with the wrong password. The amount of time we are spending
dealing with password problems is growing every year and it keeps us from
moving forward on new projects.

Mike Cunningham

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary -
flynngn
Sent: Monday, October 10, 2016 9:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password length and required reset

Compromise of the accounts you mention primarily affect the data and
services of the owner of the account. That is, they're self-service accounts.

Compromise of a faculty or staff account would almost certainly provide
unauthorized access to constituent data, institutional data, and/or the ability
to affect constituent services.

I would guess that the authentication policies for the employees of the
organizations you listed are different than the policies that apply to their
customers. At least I'd hope so. :)

Gary Flynn
Security Engineer
James Madison University


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike

Cunningham

Sent: Monday, October 10, 2016 9:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password length and required reset

Thanks for the feedback.

How do you counter the argument that no other online service that
requires passwords have any set time limit on a password, and they are
sites with much more sensitive information. Bank sites, credit card
sites, amazon, paypal, gmail, yahoo, Hotmail, outlook.com phone
companies, Netflix, etc. I can't think of any service that I have
myself that requires me to change a password on a regular basis and
that is how students view us, as just another online service.  I am
100% in favor of employees needing to reset a password since their
access gives them access to other peoples data but for students they
only have access to their own data so password mismanagement only puts
their own data at risk, just like on any of those other services.

Mike Cunningham

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel
Sent: Monday, October 10, 2016 8:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password length and required reset

You are correct in thinking that 12 characters will help.  If you run
passwords through most any analyzer, that 12th character adds a
tremendous amount of time to the decryption process... but will not
help if common phrases, titles, and sequences are used.

We recently moved all faculty, staff and service accounts to a 90-day
password reset cycle, with a history of 6.  We are considering a
minimum password age of 2 days, but have not implemented that change
yet.  We recommend the password to be a minimum of 8, but no longer
than 13 characters (any longer and Office365 complains, at least as of
August of this
year) and cannot contain three consecutive characters of their
username.  It also must have a capital letter and a number or symbol.

It has taken a number of years to push this policy amid lots of
grumbling from staff and faculty.  We got buy-in from administration
by explaining our reasons for implementing, we communicated the change
effectively to the community and so far, have not had significant
backlash.  We considered having two different policies for staff and
faculty, but decided it was in everyone's best interest to enforce the
stricter policy (whether they believed it or not).

Students have all the same requirements except the max age for their
password is 180 days.  No issues there either, as this is explained at
orientation.  While it frustrates a tiny percentage, it is an
acceptably low percentage.

The key is effective communication and simple explanation of the
reasons why this is important.

Good luck with any changes you make.

Dan


Daniel H. Boyd (94C)
Senior Network Architect
Network Operations
Information Security Advisory Group Chair Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1




-----Original Message-----
From: Mike Cunningham [mailto:mike.cunningham () PCT EDU]
Sent: Friday, October 07, 2016 3:29 PM
Subject: password length and required reset

We current have a password length rule of 6 with a password expiration
of
180 days. We are considering changing that to a length of 12 with a
recommendation to use a pass phrase, and no expiration. Students can
want to can change their password daily or never. We believe the
longer length requirement will make the password so much stronger that
the password reset is no longer needed. This change is for students
ONLY. Employees will still have a password recent requirement.

Thanks


Mike Cunningham
VP of Information Technology Services/CIO Pennsylvania College of
Technology

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: