Re: Password expiration Process ?

[David Lundy <dlundy () PACIFIC EDU>]

We are about to find out about email notification.

We use Active Directory authentication for a number of services such as
faculty/staff/lab Windows authentication, home directories (each
faculty/staff/student has one on a NetApp box), Sun Ray (Sun thin
client), Portal access, home/web directory access via the web,
BlackBoard and VPN authentication.  We went to 180 day expiration last
Fall and reset the clock on passwords then.  We also implemented AD's
complex password requirement for new passwords.  Two week warnings
started Monday for Windows Logins for those whose passwords reaching
that 180 day limit.  We will be doing email notifications next week.
Some services do not warn of impending expiration and we feel the email
notification is necessary.

For password self service we use Password Station from Avatier.  We
call this service "Locksmith".  This has worked very well for user self
service.  It got a rating of 3.8 on a five point user satisfaction scale
in our last annual survey of campus users.  The main issues users faced
was the need to register with the service prior to needing it.  We do
not preload authetication questions to identify the user.   Password
authentication is required to register.  So a user who has not
registered and has forgotten their password still requires help desk
intervention.  That aside, the product has worked very well for us.  It
allows the user to unlock accounts locked by password failure , change
password or handle forgotten passwords.  It emails the user a notice
whenever there has been an attempt to change the password or
authentication information in Locksmitih whether successful or
otherwise.

We are also using Locksmith to email password expiration notices.
Unfortunately it emails daily when this feature is set.  So we have set
it to start emailing seven days before expiration.  It will stop when
the password expires or is reset.  The message can not be tailored with
the expiration date and we've had to write the same message to be
appropriate for users at three campuses.  The seven day warning period
starts Monday for a large number of users.

I've only gotten two nastygrams so it looks like 180 aging has gone
pretty well so far.

David Lundy
Acting IT Security Officer
University of the Pacific


> > > franklin () TXSTATE EDU 04/06/06 7:38 AM >>>
I agree with Scott.

We implemented password expiration in October of last year (90 days
for
faculty/staff and 180 for students) and are now being asked to review
it
again by the faculty.  We send multiple reminder emails before
disabling
the account but as most have discovered, these emails are usually
deleted without being read or caught by internal rules or spam
filters.
After searching the list archives as well as reading many other
university policies, we are moving toward changing the expiration to
once per year and begin working on two factor authentication for those
with access to private data.

Elliott Franklin, CISSP
Information Security Analyst
Texas State University-San Marcos
http://www.vpit.txstate.edu/security
512.245.2501

-----Original Message-----
From: Scott Bradner [mailto:sob () HARVARD EDU]
Sent: Thursday, April 06, 2006 9:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password expiration Process ?

>  First, are any of you using a password
> expiration process in a student self-service environment?

specifically no
reviewing the research (as was done in a discussion on this list a
while back) we concluded that forcing pasword changes would, in net,
reduce security rather than increase it for this type of situation
(along with pissing off the students etc)

it seems far better to do things like send email notices when some
kinds of changes are made by the student (e.g. changing password or
privacy settings) that might indicate a 3rd party accessing the
account

Scott