Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: Jack Reardon <jack.reardon () WORCESTER EDU>
Date: Fri, 24 Sep 2010 09:16:55 -0400
We use Active Directory complexity. Here are the other requirements: - 8 character minimum - a minimum 3 of the following 5: upper,lower,number, punctuation, special - change every 90 days - no part of username in PW - last 20 PWs can not be repeated - lockout of 30 minutes if there are 6 failed attempts in a 30 minute period There was some push back when we implemented these policies. The resource we are protecting is valued by the users and they have come to accept the policy. We do tend to get the usual references to the Gene Spafford article on the subject. That writing does not sway me or the auditors. We believe that people tend to use the same password for many accounts, both personal and professional. 90 days means an abondoned password is locked after just 90 days. The state auditors that reviewed our IT policies and procedures were pleased with our password policy. I know that does not improve security, but it does allow us to "pass" the audit and allow us to focus on security. Here is the statement we put on our password change screen: Your password MUST be 8 characters in length and MUST include + 1 upper case letter + 1 lower case letter + 1 number. Passwords cannot contain any portion of your username or previous passwords. [NOTE: do NOT use special characters in your password i.e. <, > ?#$%^&*()!@ etc.] Note the warning about special characters. This is a restriction of our Blackboard setup. Some of the special characters do not work with our Blackboard Community system. Jack Reardon Associate Director, Infrastructure Services Worcester State University On Fri, Sep 24, 2010 at 8:28 AM, Barbara Deschapelles < deschapellesb () clarkstate edu> wrote:
We currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-) Thanks for your help. I'll be glad to summarize for the group if there is interest in that. Barb Deschapelles Executive Director Information Technology Clark State Community College 570 East Leffel Lane PO Box 570 Springfield, OH 45501-0570 Phone: 937 328-6144 Think before you print - save a tree.
Current thread:
- Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Dexter Caldwell (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy John Ladwig (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy Conor McGrath (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy charlie derr (Sep 24)
- Re: Current Best Practice regarding Password Change policy randy marchany (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)