Re: Password Management Policy & Standards

["Bradner, Scott" <sob () HARVARD EDU>]

you should review 
Gene Spaford’s Security Myths and Passwords
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
and Passwords and Myth
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

Scott

> On Feb 24, 2016, at 7:19 PM, Carlos Lobato <clobato () NMSU EDU> wrote:
>
> Hello Colleagues,
>
> I'm working on promoting institutional compliance with our current password policy, which requires regular password 
> changes every 120 days for all accounts. 
>
> However, I would like to know if some of you have created a table or matrix listing all of your type of accounts and 
> if password expiration dates vary depending on the type of account, which would be based on risk.
>
> If you have a listing, I would highly appreciate a link or a copy to your document.  I am using various resources 
> including the NIST SP 800-118 and I can share with the group after I finish my analysis and potentially re-write our 
> current NMSU password policy to make more realistic.
>
> Thank you so much for any input that you may have.
>
> Carlos,
>
> Carlos S. Lobato, CISA, CISSP, CPA
> IT Compliance Officer
>  
> New Mexico State University
> Information and Communication Technologies
> MSC 3AT PO Box 30001
> Las Cruces, NM  88003
>  
> Phone (575) 646-5902
> Fax (575) 646-5278