Educause Security Discussion mailing list archives
Re: Password Expiration
From: David Walker <David.Walker () UCOP EDU>
Date: Fri, 7 Apr 2006 11:19:20 -0700
At the University of California, we dropped our policy requirement for regular password changes a few years ago. It is our belief that requiring regular password changes can actually decrease security, as it encourages people to write their passwords in insecure locations. Also, the password changes tend to be minimal, say, changing a sequence number within the password. It's our sense that enforcing password changes is a mitigation for threats (accessible password files on timesharing systems, passwords transmitted in the clear) that are no longer prevalent. Another thing to consider is how long a "wrong" person might have a password before they lose it due to an enforced change by the "right" person. If the enforced period is 180 days, then the "wrong" person will have a password, on average, for about three months. I suspect most of us would want that average exposure to be measured in minutes or hours (seconds? milliseconds?), rather than months, but none of us would be willing to change our passwords more than once a day. David Walker Director, Advanced Technology Information Resources and Communications University of California, Office of the President 1111 Franklin Street, Room 7115 Oakland, CA 94607-5200 (510) 987-0500 (510) 451-4340 (FAX) David.Walker () ucop edu On Fri, 2006-04-07 at 08:06 -0400, Nancy R Evans wrote:
Good Day, Here at Indiana University of Pennsylvania (IUP) we have had password expiration set to 180 day since we started requiring authentication to our machines. That was about 4 years ago. The expiration is what trips most of our students up. No matter how often we try to educate them they always seem to get caught. One problem we have with our expiration is that you only know when your password has expired if you are using and on campus machine. (I have yet to try emails) We have recently offered a self serve password reset to our students via their SCT Banner accounts. Seems to have been accepted well. Someone mentioned that the forced expiration is actually more of a problem, well I think I would agree. It seems to me that is encourages the students to "share" account access. Currently do not have a single sign on service. Do those of you who have single sign on find that it reduces password problems? Since I supervise our student and academic faculty/staff help desks I have been asked to conduct a password education process. I am looking for some fresh ideas. Could you all please share some of your ideas and success. Thank you, Nancy R. Evans, MIS Coordinator of User Services Academic Technology Services Indiana University of Pennsylvania (724) 357-1329 Nancy.Evans () iup edu
Attachment:
smime.p7s
Description:
Current thread:
- Password Expiration Nancy R Evans (Apr 07)
- <Possible follow-ups>
- Re: Password Expiration David Walker (Apr 07)
- Re: Password Expiration Harold Winshel (Apr 07)
- Re: Password Expiration Dave Koontz (Apr 08)
- Re: Password Expiration Charlie Prothero (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 10)
- Re: Password Expiration Bill Betlej (Apr 10)
- Re: Password Expiration Geoffrey S. Nathan (Apr 10)
- Re: Password Expiration Gene Spafford (Apr 10)
- Re: Password Expiration Harold Winshel (Apr 11)
- Re: Password Expiration Steve Worona (Apr 11)
(Thread continues...)