Re: Password Expiration

[Dave Koontz <dkoontz () MBC EDU>]

Just because something might be difficult doesn't mean you shouldn't do it.

Keep in mind that you also have to consider brute force hacker tools, user
empathy and social engineering that can obtain a username / password.  While
it's true that a user may write their password on a 'post-it" note and
attach it to their monitor, they could just as easily tell a friend or
co-worker their password to logon to a system.  While not perfect, a solid
password change policy at least ensures that any users compromised password
is only good for a finite period of time, rather than forever.  A policy
such as this used in conjunction with system monitoring can save you a lot
of protential problems in the future.  Just imagine for a second that a user
gives their boyfriend their logon info, then have a nasty break-up.  Do you
want to trust that information forever?

Ideally, we would all have two+ factor authentication, but for now that is
outside most or our budgets.  Limiting how long a "Key" (password) is good
for seems logical to me.  Many hotels/motels change their digital locks
after each guest to help ensure a 'compromised' key isn't used.


  _____

From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU]
Sent: Friday, April 07, 2006 10:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expiration


I've always been skeptical about the benefits of requiring regular password
changes, for the same reasons.  It seems like it can be an example of the
law of unintended consequences - you enact a procedure, i.e., requiring
password changes,  to try to make things more secure and, by virtue of that
procedure, you may actually be making things less secure.

It can be very difficult, in a university environment, to stop people from
recording their passwords in insecure manners.  And, of course, the more
lengthy and difficult to remember the password is, the more likely it is to
be written down carelessly.

I would also think you want to decide who you are protecting the password
from - whether it is from a breach through the internet or a breach from
physical access.  If physical access breach is not an issue, then writing
the password on a stick-on note and pasting it to the monitor is less of an
issue.

Harold Winshel



At 02:19 PM 4/7/2006, David Walker wrote:


At the University of California, we dropped our policy requirement for
regular password changes a few years ago.  It is our belief that requiring
regular password changes can actually decrease security, as it encourages
people to write their passwords in insecure locations.  Also, the password
changes tend to be minimal, say, changing a sequence number within the
password.  It's our sense that enforcing password changes is a mitigation
for threats (accessible password files on timesharing systems, passwords
transmitted in the clear) that are no longer prevalent.

Another thing to consider is how long a "wrong" person might have a password
before they lose it due to an enforced change by the "right" person.  If the
enforced period is 180 days, then the "wrong" person will have a password,
on average, for about three months.  I suspect most of us would want that
average exposure to be measured in minutes or hours (seconds?
milliseconds?), rather than months, but none of us would be willing to
change our passwords more than once a day.

David Walker
Director, Advanced Technology
Information Resources and Communications
University of California, Office of the President
1111 Franklin Street, Room 7115
Oakland, CA 94607-5200
(510) 987-0500
(510) 451-4340 (FAX)
David.Walker () ucop edu

On Fri, 2006-04-07 at 08:06 -0400, Nancy R Evans wrote:


Good Day,

Here at Indiana University of Pennsylvania (IUP) we have had password
expiration set to 180 day since we started requiring authentication to our
machines. That was about 4 years ago.  The expiration is what trips most of
our students up.  No matter how often we try to educate them they always
seem to get caught. One problem we have with our expiration is that you only
know when your password has expired if you are using and on campus machine.
(I have yet to try emails)  We have recently offered a self serve password
reset to our students via their SCT Banner accounts.  Seems to have been
accepted well.
Someone mentioned that the forced expiration is actually more of a problem,
well I think I would agree.  It seems to me that is encourages the students
to "share" account access.  Currently do not have a single sign on service.
Do those of you who have single sign on find that it reduces password
problems?   Since I supervise our student and academic faculty/staff help
desks I have been asked to conduct a password education process.  I am
looking for some fresh ideas.  Could you all please share some of your ideas
and success.

Thank you,

Nancy R. Evans, MIS
Coordinator of User Services
Academic Technology Services
Indiana University of Pennsylvania
(724) 357-1329
Nancy.Evans () iup edu

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)