Educause Security Discussion mailing list archives

Re: Password Management Policy & Standards

From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
Date: Fri, 26 Feb 2016 15:43:27 +0000

I'm a proponent of password expiration for the reason Brad outlined: "keeping the institutional password out of sync 
with external passwords."

Also, to this end, the password expiration should be less than a year, IMO.  Otherwise, you see many not changing their 
password in an effective manner.  They just take the same password and slap the new year on the end of it.





-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Friday, February 26, 2016 10:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

Password expiration primarily protects in the situation in which a password is compromised in an undetectable and 
unrepeatable manner.  If you can detect the compromise, you can force a reset or lockout.  If the attack is repeatable 
(endpoint malware, APT, etc) then the new password can be obtained as well.

These singular, silent attacks are uncommon.  The scenario that password expiration best protects from, IMO, is keeping 
the institutional password out of sync with external passwords.  If you have to change your password every six months, 
you are unlikely to run around to all other websites you use to reset them to match.  Then if a third party site is 
compromised (this happens frequently), the odds of the compromised password matching the institutional one are greatly 
reduced.  A hack of a third-party site is an extension of the undetectable and (potentially) unrepeatable compromise 
scenario.

Sometimes we do detect these compromises, when the attackers are out for publicity and pastebin the spoils of their 
attack, but I¹m sure for every public disclosure there are many non-disclosed ones.

Brad Judy
 
Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu <http://www.cu.edu/>
 

 






On 2/26/16, 7:02 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Joanna Grama" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of jgrama () EDUCAUSE EDU> wrote:

Hi Mark,

I have a strong preference for keeping lawyers happy over accountants; 
but that is just professional courtesy.

Like many of the posts in this discussion, I do think the proper 
inquiry over password complexity and expiration is a risk-based inquiry 
that looks at the assets being protected and other safeguards in place 
to protect those assets.  I feel the same way about generically 
applicable standards that I do about "one size fits all" clothing--it 
very rarely fit perfectly and you always end up looking a little frumpy.

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of IT GRC and Cybersecurity Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark I. Berman
Sent: Friday, February 26, 2016 7:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

Joanna,

So what you're saying is that the reason to expire passwords is to make 
the accountants happy rather than any rational balancing of risk/reward?
I think I probably agree with you. We just had a discussion here about 
whether we need to worry about password expiration and complexity so 
much if we move to two factor authentication. One thing that was 
brought up is that we might not even know if a password is compromised 
since the bad-guy still wouldn't be able to get in, lacking the second 
factor. And do we care at that point that the password was compromised.  
Two factor auth certainly seems to throw a monkey wrench into the 
question of how important complex and frequently changed passwords really are!

- Mark
--
Mark Berman, Chief Information Officer
Siena College
515 Loudon Road
Loudonville, NY  12211
(518)782-6957,  Fax: (518)783-2590

Current thread:

Re: Password Management Policy & Standards, (continued)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
  - Re: Password Management Policy & Standards Von Welch (Feb 25)
    - Re: Password Management Policy & Standards Joanna Grama (Feb 25)
- Re: Password Management Policy & Standards Mark I. Berman (Feb 26)
  - Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
    - Re: Password Management Policy & Standards Brad Judy (Feb 26)
  - Re: Password Management Policy & Standards David Sheryn (Feb 26)
    - Re: Password Management Policy & Standards Mark Borrie (Feb 28)
  - Re: Password Management Policy & Standards Joanna Grama (Feb 26)
    - Re: Password Management Policy & Standards Brad Judy (Feb 26)
    - Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
    - Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Password Management Policy & Standards Carlos Lobato (Feb 26)
  - Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)
    - Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)
    - Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
    - Re: Password Management Policy & Standards Thomas Carter (Feb 26)
    - Re: Password Management Policy & Standards Jones, Mark B (Feb 26)
    - Re: Password Management Policy & Standards Thomas Carter (Feb 26)

(Thread continues...)