Re: Current Best Practice regarding Password Change policy

[Jack Suess <jack () UMBC EDU>]

Barbara,

This issue comes up fairly regularly and the reality is it is hard to point to best practice to define "N" and say 
changing a password every "N" days represents best practice.

The reality in security is that there is both a technical and social component to everything we do. That is why 
security is so focused on risk management. As you lower "N" you generate more people that write their password on a 
sticky note or that do other poor practices to remember it. In addition, you generate higher levels of support calls to 
deal with forgotten passwords. On the other side, increasing "N" opens the opportunity that if the password is 
compromised it will remain available for illicit use for a longer period of time.

To me, I would ask whether all categories of people have the same risk profile. On my campus we have different password 
policies for those with the ability to commit university  financial resources than for those that don't -- i.e. if you 
can approve requisitions, payroll, or make procurement card purchases there is a higher bar. That was based on the idea 
that the risk of a student losing their password falls mostly on the student -- we enforce strong passwords but we 
don't want to require students change passwords as frequently as you.

In terms of best practice:

NIST developed a long document numbered 800-63 on electronic authentication. I think this highlights best practice in 
thinking about electronic authentication - 
( http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf). 

One of the tools I found exceptionally useful was a spreadsheet that was developed based on this work. It allows you to 
look at various password policies including the "N" and see how strong the password is. This was designed because under 
the federal process some passwords had to have higher levels of assurance. 

What is interesting about this tool is it allows you to see how much you have changed the risk by altering policies. 
You can then play with the tool and see if 180 or 360 makes a substantial change in your risk profile. It is hard to 
find the spreadsheet so I put the link below.


http://www.idmanagement.gov/documents/CommonCAP.xls


jack suess

 



On Sep 24, 2010, at 8:28 AM, Barbara Deschapelles wrote:

> We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique 
> passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the 
> change.  I'd like to get a feel for what people accept as current best practice for password change intervals and 
> other related policies, and also, if it is different than the best practice what people are actually doing (if you 
> wish to share that :-)
>  
> Thanks for your help.  I'll be glad to summarize for the group if there is interest in that.
>  
>  
>  
>  
> Barb Deschapelles
> Executive Director Information Technology
> Clark State Community College
> 570 East Leffel Lane
> PO Box 570
> Springfield, OH 45501-0570
> Phone: 937 328-6144
>  
> Think before you print - save a tree.

Attachment: smime.p7s
Description: