Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: Jack Suess <jack () UMBC EDU>
Date: Fri, 24 Sep 2010 08:55:32 -0400
Barbara, This issue comes up fairly regularly and the reality is it is hard to point to best practice to define "N" and say changing a password every "N" days represents best practice. The reality in security is that there is both a technical and social component to everything we do. That is why security is so focused on risk management. As you lower "N" you generate more people that write their password on a sticky note or that do other poor practices to remember it. In addition, you generate higher levels of support calls to deal with forgotten passwords. On the other side, increasing "N" opens the opportunity that if the password is compromised it will remain available for illicit use for a longer period of time. To me, I would ask whether all categories of people have the same risk profile. On my campus we have different password policies for those with the ability to commit university financial resources than for those that don't -- i.e. if you can approve requisitions, payroll, or make procurement card purchases there is a higher bar. That was based on the idea that the risk of a student losing their password falls mostly on the student -- we enforce strong passwords but we don't want to require students change passwords as frequently as you. In terms of best practice: NIST developed a long document numbered 800-63 on electronic authentication. I think this highlights best practice in thinking about electronic authentication - ( http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf). One of the tools I found exceptionally useful was a spreadsheet that was developed based on this work. It allows you to look at various password policies including the "N" and see how strong the password is. This was designed because under the federal process some passwords had to have higher levels of assurance. What is interesting about this tool is it allows you to see how much you have changed the risk by altering policies. You can then play with the tool and see if 180 or 360 makes a substantial change in your risk profile. It is hard to find the spreadsheet so I put the link below. http://www.idmanagement.gov/documents/CommonCAP.xls jack suess On Sep 24, 2010, at 8:28 AM, Barbara Deschapelles wrote:
We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-) Thanks for your help. I'll be glad to summarize for the group if there is interest in that. Barb Deschapelles Executive Director Information Technology Clark State Community College 570 East Leffel Lane PO Box 570 Springfield, OH 45501-0570 Phone: 937 328-6144 Think before you print - save a tree.
Attachment:
smime.p7s
Description:
Current thread:
- Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy Conor McGrath (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy charlie derr (Sep 24)
- Re: Current Best Practice regarding Password Change policy randy marchany (Sep 24)