Educause Security Discussion mailing list archives
Re: Who is using Passphrase over 16 characters
From: Dan Wasson <dan () NMC EDU>
Date: Fri, 4 Sep 2020 11:07:40 -0400
We have just implemented a 12 character minimum with all four character types required. We had been using different password policies for students and employees, but have moved to 1 common policy. We implemented the changes as a result of a complete IT audit conducted this summer. When the announcement was made to everyone that the changes were made, I received 2 email pushback messages, both from students. I expected far more. If you want to do something fun, try a complete IT audit (practices & procedures, internal and external pen tests) while everyone is remote, auditors and my staff. . *Dan Wasson* *Director Systems & LAN Management* *Northwestern Michigan College* *231-995-1164* *dwasson () nmc edu <dwasson () nmc edu>* *Don't be a scam victim - NMC and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information.* On Fri, Sep 4, 2020 at 10:27 AM Alex Lindstrom <aglind () udel edu> wrote:
We have a 12-character minimum with at least three character types being required. We also reject upon creation any passwords that consist of a common phrase or dictionary word or that match one of the user's last several passwords. That being said, we rely on two-factor as the real control, and all students and employees are required to configure it. Even with education, user password practices are not renowned for their security. ----- Alex Lindstrom IT Security Analyst II UDIT Security | Governance, Risk, & Compliance (302) 831-4823 On Fri, Sep 4, 2020 at 10:15 AM Scott Hicks < 000001df2216c6a1-dmarc-request () listserv educause edu> wrote:FWIW, here is our policy (we require a password that's between 14 and 30 characters) with examples and a little education on why longer passwords are stronger..... https://uncg.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010158 Regards, Scott Hicks Network Architect 336-334-9756 scott.hicks () uncg edu On Thu, Sep 3, 2020 at 5:20 PM Francisco Chavez <fac3 () stmarys-ca edu> wrote:Hi Alan, We have implemented a 16+ passphrase policy here at Saint Mary’s for a few years now. It was a struggle at first but we are better for it. We also have different policies for different levels of access that that include lockout thresholds as well as password refreshes every 365 days. We also require MFA as well on top of the passphrase depending on certain risk criteria (Location, Device, etc.) Sincerely, Francisco Chavez -- Francisco Chavez, MBA | Director, Infrastructure and Operations Saint Mary's College of California ............................................................................................................................... IT Services <https://www.stmarys-ca.edu/it-services> phone: (925) 631-8236 email: fac3 () stmarys-ca edu On Sep 3, 2020, at 2:12 PM, Alan Amesbury <amesbury () OITSEC UMN EDU> wrote: On 03 Sep 20, at 16:05, Cathy Hubbs <hubbs () AMERICAN EDU> wrote: We have been supporting 2 password policies for several years and would like to move to 1 (the 16+ character passphrase). Wondering how many of you have adopted a longer/stronger passphrase policy? For ease of response – anyone using passphrase policy requiring at least 12 characters? [snip] Policy requires a complex password for our high and medium classifications: https://policy.umn.edu/it/securedata-appaaam The policy refers to https://it.umn.edu/resources-it-staff-partners/information-security-standards/authentication-access-account-management for a discussion of what a complex password is, which includes a requirement that it be >=16 characters long. I note they didn't use my own authentication factor definitions: 1) Something you lose. 2) Something you forget. 3) Something you cease to be. -- Alan Amesbury Security Analyst | University Information Security (UIS) University of Minnesota | umn.edu | 612-625-8810 Information Security is a shared responsibility. Learn more at: https://it.umn.edu/what-security-incident ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Who is using Passphrase over 16 characters Cathy Hubbs (Sep 03)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 05)
- Re: Who is using Passphrase over 16 characters Nathan Phillips (Sep 08)
- Re: Who is using Passphrase over 16 characters Gregory, Christopher (Sep 04)
- Re: Who is using Passphrase over 16 characters Blake Brown (Sep 03)
- Re: Who is using Passphrase over 16 characters Alan Amesbury (Sep 03)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)
- Re: Who is using Passphrase over 16 characters Scott Hicks (Sep 04)
- Re: Who is using Passphrase over 16 characters Alex Lindstrom (Sep 04)
- Re: Who is using Passphrase over 16 characters Dan Wasson (Sep 04)
- Re: Who is using Passphrase over 16 characters Francisco Chavez (Sep 03)