Educause Security Discussion mailing list archives

Re: Interesting Research

From: John Chapman <John.Chapman () JISC AC UK>
Date: Wed, 3 Apr 2019 08:30:34 +0000

Not a direct response to your question, but the following may be of
interest.

UCL in the UK took an interesting approach to encouraging the use of strong
passwords. They forced weaker passwords to be changed more often (something
students didn't like at all) and stronger passwords wouldn't expire for a
much longer period.

They set passwords to be valid for between 100 and 350 days depending on its
strength when it was set.

There is a slide set from Bridget Kenyon (formerly of UCL) on SlideShare at
https://www.slideshare.net/JISC/password-lifespans-at-ucl-a-training-opportu
nity explaining their approach.

John


-
Dr John Chapman CISSP CISM
Head of security operations centre
M 07468 727058
Twitter http://twitter.com/chapman_john
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk 

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc's registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
Sent: 02 April 2019 21:01
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Interesting Research

Fellow security pros,



I have an interesting research request come in my inbox today. A

researcher

wants to setup a portal for students to self-register with a username and
password. The kicker is passwords will be stored in plain text and

collected. The

premise is to gauge whether students are actually adhering to suggested
practices in password design.



My first reaction is "(heck) no," but I realize I may be overreacting. So,

decided to see if anyone has dealt with this kind of research and how you
handled it.



While I see the value in the research, my security senses tell me students

will

be using their standard password they use for everything. Thus big risk.



Feel free to contact me directly.



Thank you,

Ron



Ronald King

Chief Information Security Officer



Office of Information Technology

(757) 823-2916 (Office)

raking () nsu edu <mailto:raking () nsu edu>

www.nsu.edu <http://www.nsu.edu/>

@NSUCISO (Twitter)

Attachment: smime.p7s
Description:

Current thread:

Re: Interesting Research, (continued)
- Re: Interesting Research Laverty, Patrick (Apr 02)
  - Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
  - Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
  - Re: Interesting Research Bridges, Robert A. (Apr 02)
    - Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
  - Re: Interesting Research Mark Poepping (Apr 09)
- Re: Interesting Research Brad Judy (Apr 02)
  - Re: Interesting Research Hiram Wong (Apr 02)
    - Re: Interesting Research Gael Frouin (Apr 02)