Educause Security Discussion mailing list archives
Re: Password Policies for today's knowledge worker
From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 10 Feb 2016 16:23:30 +0000
Here's my issue with password reset policies: This protection only helps in the case that account compromises are both undetected and unrepeatable. If you can detect the compromise (like a password dump a la Adobe), then you can force resets. If the compromise is persistent or repeatable (like APT or malware on the host like PonyStealer) then the attacker can get the new password after the change. That said, the one reason I still like an occasional password change (once or twice a year) is because it acts as a bit of enforcement for not setting all of your non-university account passwords to match your university one. People are very unlikely to run around changing all of their other passwords each time they update their university one. Then, if an external password is breached, it doesn't compromise the university one. Arguably, a one-time breach of a third-party system is just another version of "undetectable and unrepeatable". As others have mentioned, additional controls (like multi factor auth) may help mitigate the risk without requiring password changes. It's the direction most end-user services have taken (Google, Facebook, etc.), combined with some great automation on monitoring/alerting. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of David Lundy <dlundy () PACIFIC EDU<mailto:dlundy () PACIFIC EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, February 9, 2016 at 6:59 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Password Policies for today's knowledge worker Larry: Because of uncertainty. One does not necessarily know of a compromise. Consider that the Germans lost U-Boats in WWII because they were unaware that Enigma had been compromised. David Lundy ----------------------------------- David Lundy Assistant IT Security Officer University of the Pacific Stockton, CA 95211 Email: dlundy () pacific edu<mailto:dlundy () pacific edu> Voice: 209-946-3951 Fax: 209-946-2898 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. Emmons Sent: Tuesday, February 09, 2016 5:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password Policies for today's knowledge worker Neal, In a similar discussion I was challenged with a question. "Why do I need to change my password?" I went through the typical responses about security and was then asked the same question again. I pondered my dilemma and was then enlightened with a response. I should only have to change my password if it has been compromised. If it hasn't been compromised, why change it? Chicken or egg? Thanks, Larry Director of Technology and Support Services Saginaw Valley State University www.svsu.edu<http://www.svsu.edu> On Tue, Feb 9, 2016 at 4:28 PM -0800, "Fisch, Neal" <Neal.Fisch () CSUCI EDU<mailto:Neal.Fisch () CSUCI EDU>> wrote: Good afternoon everyone, In today's world of knowledge workers having a multitude of devices used for accessing their work data, I would like know how strict you feel password policies should be to be able to accommodate this plethora of devices, accommodate a seamless password change process, and still be secure. Items of particular interest are password/access controls specifically in regards to acceptable timeframes for password resets and number of failed login attempts. Thanks all! Neal Neal Fisch Director, Enterprise Services and Security Information Security Officer Division of Technology & Communication California State University Channel Islands One University Drive, Camarillo CA 93012 Solano Hall - Room 2178 Email: neal.fisch () csuci edu<mailto:neal.fisch () csuci edu> Voice: 805-437-3278 | Mobile: 805-443-6529 | Fax: 805-437-3377 [EXT_IS]
Current thread:
- Re: Password Policies for today's knowledge worker, (continued)
- Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 10)
- Re: Password Policies for today's knowledge worker Matthew Trump (Feb 10)
- Re: Password Policies for today's knowledge worker Shalla, Kevin (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
- Re: Password Policies for today's knowledge worker Thomas Carter (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 09)