Educause Security Discussion mailing list archives
Re: Password expiration Process ?
From: David Lundy <dlundy () PACIFIC EDU>
Date: Thu, 6 Apr 2006 10:51:03 -0700
We are about to find out about email notification. We use Active Directory authentication for a number of services such as faculty/staff/lab Windows authentication, home directories (each faculty/staff/student has one on a NetApp box), Sun Ray (Sun thin client), Portal access, home/web directory access via the web, BlackBoard and VPN authentication. We went to 180 day expiration last Fall and reset the clock on passwords then. We also implemented AD's complex password requirement for new passwords. Two week warnings started Monday for Windows Logins for those whose passwords reaching that 180 day limit. We will be doing email notifications next week. Some services do not warn of impending expiration and we feel the email notification is necessary. For password self service we use Password Station from Avatier. We call this service "Locksmith". This has worked very well for user self service. It got a rating of 3.8 on a five point user satisfaction scale in our last annual survey of campus users. The main issues users faced was the need to register with the service prior to needing it. We do not preload authetication questions to identify the user. Password authentication is required to register. So a user who has not registered and has forgotten their password still requires help desk intervention. That aside, the product has worked very well for us. It allows the user to unlock accounts locked by password failure , change password or handle forgotten passwords. It emails the user a notice whenever there has been an attempt to change the password or authentication information in Locksmitih whether successful or otherwise. We are also using Locksmith to email password expiration notices. Unfortunately it emails daily when this feature is set. So we have set it to start emailing seven days before expiration. It will stop when the password expires or is reset. The message can not be tailored with the expiration date and we've had to write the same message to be appropriate for users at three campuses. The seven day warning period starts Monday for a large number of users. I've only gotten two nastygrams so it looks like 180 aging has gone pretty well so far. David Lundy Acting IT Security Officer University of the Pacific
franklin () TXSTATE EDU 04/06/06 7:38 AM >>>
I agree with Scott. We implemented password expiration in October of last year (90 days for faculty/staff and 180 for students) and are now being asked to review it again by the faculty. We send multiple reminder emails before disabling the account but as most have discovered, these emails are usually deleted without being read or caught by internal rules or spam filters. After searching the list archives as well as reading many other university policies, we are moving toward changing the expiration to once per year and begin working on two factor authentication for those with access to private data. Elliott Franklin, CISSP Information Security Analyst Texas State University-San Marcos http://www.vpit.txstate.edu/security 512.245.2501 -----Original Message----- From: Scott Bradner [mailto:sob () HARVARD EDU] Sent: Thursday, April 06, 2006 9:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password expiration Process ?
First, are any of you using a password expiration process in a student self-service environment?
specifically no reviewing the research (as was done in a discussion on this list a while back) we concluded that forcing pasword changes would, in net, reduce security rather than increase it for this type of situation (along with pissing off the students etc) it seems far better to do things like send email notices when some kinds of changes are made by the student (e.g. changing password or privacy settings) that might indicate a 3rd party accessing the account Scott
Current thread:
- Password expiration Process ? Theresa Semmens (Apr 06)
- <Possible follow-ups>
- Re: Password expiration Process ? Scott Bradner (Apr 06)
- Re: Password expiration Process ? Franklin, Elliott (Apr 06)
- Re: Password expiration Process ? Penn, Blake (Apr 06)
- Re: Password expiration Process ? David Lundy (Apr 06)
- Re: Password expiration Process ? Gary Flynn (Apr 06)
- Re: Password expiration Process ? Drews, Jane E (Apr 07)
- Re: Password expiration Process ? Kenneth G. Arnold (Apr 07)
- Re: Password expiration Process ? Cal Frye (Apr 07)
- Re: Password expiration Process ? Theresa Semmens (Apr 07)
- Re: Password expiration Process ? Theresa Semmens (Apr 07)