Re: Password policy

["Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi:

We are designing policy to enforce strong passwords/passphrases that
have expiration dates. I won't go into all the reasons for using strong
passwords even though people tend to write them down but what I have
started recommending is that they store their password lists
electronically in a strong password protected and strongly encrypted
file.  I'm not sure if we will ever stop people from writing passwords
down in an environment where they have to remember multiple passwords
(one for the bank, one for their broker, one for business email, one for
personal email, one for Unix and yet another one for Windows, etc.) so
we might as well start teaching them how to do so securely. 

Btw- while keeping a password in their wallet might be viable in some
cases we need to remind the users doing this that they shouldn't do the
same for their ATM pins! :-)

I personally prefer the strong password protected and strongly encrypted
file method and the file can be on their PC or PDA or both.

-Kevin


Kevin L. McLaughlin
CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
mclaugkl () ucmail uc edu
 
 
 
 
CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.
 

-----Original Message-----
From: Gary Dobbins [mailto:dobbins () ND EDU] 
Sent: Wednesday, November 01, 2006 1:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy

Brian,

You may want to consult the latest ECAR security study 
(http://www.educause.edu/LibraryDetailPage/666?ID=ERS0606) for 
percentages of schools who employ various practices, but I can tell you 
our story:

We enforce password complexity, non-reuse, and expiration (180 days).

Our policy does not forbid their safe storage, but admonishes keeping 
them secret.  We cast it this way to avoid the backlash effect you cite 
below, where user reaction makes them less secret.  We felt that a 
password stored relatively safely (e.g. in a wallet) was less of a 
threat vector than one which was simple and easily guessed and/or has 
never changed.

This policy was phased in weekly on randomly-selected accounts each week

over an academic year, so not everyone's password had to be changed at 
the same time.

Individual difficulties (usually inconvenience) were of course cited by 
some, but overall these constituted a _very_ low percentage of the 
population.  No exceptions have been deemed necessary (so far, knock
wood).


Kellogg, Brian D. wrote:
> A couple questions:
>
>  
>
>    1. Do most enforce password expirations?  I came from a large
>       corporation and they enforced a 90 day password expiration
>       policy.  It seemed to have the effect of making passwords less
>       secure as most would write them down in obvious places.
>    2. Do most enforce a strong password policy?
>    3. Any other recommendations/insights along this line would be
helpful.
>  
>
>  
>
>  
>
> Thanks,
>
>  
>
> Brian

-- 

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies