Educause Security Discussion mailing list archives
Re: Password policy
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Wed, 1 Nov 2006 15:02:59 -0500
Hi: We are designing policy to enforce strong passwords/passphrases that have expiration dates. I won't go into all the reasons for using strong passwords even though people tend to write them down but what I have started recommending is that they store their password lists electronically in a strong password protected and strongly encrypted file. I'm not sure if we will ever stop people from writing passwords down in an environment where they have to remember multiple passwords (one for the bank, one for their broker, one for business email, one for personal email, one for Unix and yet another one for Windows, etc.) so we might as well start teaching them how to do so securely. Btw- while keeping a password in their wallet might be viable in some cases we need to remind the users doing this that they shouldn't do the same for their ATM pins! :-) I personally prefer the strong password protected and strongly encrypted file method and the file can be on their PC or PDA or both. -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. -----Original Message----- From: Gary Dobbins [mailto:dobbins () ND EDU] Sent: Wednesday, November 01, 2006 1:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Brian, You may want to consult the latest ECAR security study (http://www.educause.edu/LibraryDetailPage/666?ID=ERS0606) for percentages of schools who employ various practices, but I can tell you our story: We enforce password complexity, non-reuse, and expiration (180 days). Our policy does not forbid their safe storage, but admonishes keeping them secret. We cast it this way to avoid the backlash effect you cite below, where user reaction makes them less secret. We felt that a password stored relatively safely (e.g. in a wallet) was less of a threat vector than one which was simple and easily guessed and/or has never changed. This policy was phased in weekly on randomly-selected accounts each week over an academic year, so not everyone's password had to be changed at the same time. Individual difficulties (usually inconvenience) were of course cited by some, but overall these constituted a _very_ low percentage of the population. No exceptions have been deemed necessary (so far, knock wood). Kellogg, Brian D. wrote:
A couple questions: 1. Do most enforce password expirations? I came from a large corporation and they enforced a 90 day password expiration policy. It seemed to have the effect of making passwords less secure as most would write them down in obvious places. 2. Do most enforce a strong password policy? 3. Any other recommendations/insights along this line would be
helpful.
Thanks, Brian
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies
Current thread:
- Password policy Kellogg, Brian D. (Nov 01)
- <Possible follow-ups>
- Re: Password policy Gary Dobbins (Nov 01)
- Re: Password policy Penn, Blake (Nov 01)
- Re: Password policy Buz Dale (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Colleen Keller (Nov 01)
- Re: Password policy Gary Flynn (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
(Thread continues...)