Educause Security Discussion mailing list archives
Re: password length and required reset
From: Mike Cunningham <mike.cunningham () PCT EDU>
Date: Mon, 10 Oct 2016 13:31:58 +0000
Very true and I would never propose eliminating password resets for any employee (employees include all faculty). That is a must. Our current discussion on password resets is only in the world of students. We issue students credentials when they apply, which can be a year before they get on campus. Most will follow the steps to "activate" the account, and change their default password, but many don’t use the account until they need to take placement tests or come for summer orientation, and by then the password has expired and many forget what password they chose, and oddly enough many also forget the answers to their reset questions. We do send them multiple warnings via email about their password about to expire but new students don't seem to check email or they do and don't care. Once they get past that point and get on campus they use that password for phone wifi access, tablet wifi access, laptop wifi access, email account setup on phones and tablets, some game systems with 802.11. Then its time to reset the password again and they need to change it in all those places again or end up causing account lockouts when those devices continue to try and authenticate with the wrong password. The amount of time we are spending dealing with password problems is growing every year and it keeps us from moving forward on new projects. Mike Cunningham -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary - flynngn Sent: Monday, October 10, 2016 9:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password length and required reset Compromise of the accounts you mention primarily affect the data and services of the owner of the account. That is, they're self-service accounts. Compromise of a faculty or staff account would almost certainly provide unauthorized access to constituent data, institutional data, and/or the ability to affect constituent services. I would guess that the authentication policies for the employees of the organizations you listed are different than the policies that apply to their customers. At least I'd hope so. :) Gary Flynn Security Engineer James Madison University
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Cunningham Sent: Monday, October 10, 2016 9:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password length and required reset Thanks for the feedback. How do you counter the argument that no other online service that requires passwords have any set time limit on a password, and they are sites with much more sensitive information. Bank sites, credit card sites, amazon, paypal, gmail, yahoo, Hotmail, outlook.com phone companies, Netflix, etc. I can't think of any service that I have myself that requires me to change a password on a regular basis and that is how students view us, as just another online service. I am 100% in favor of employees needing to reset a password since their access gives them access to other peoples data but for students they only have access to their own data so password mismanagement only puts their own data at risk, just like on any of those other services. Mike Cunningham -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel Sent: Monday, October 10, 2016 8:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password length and required reset You are correct in thinking that 12 characters will help. If you run passwords through most any analyzer, that 12th character adds a tremendous amount of time to the decryption process... but will not help if common phrases, titles, and sequences are used. We recently moved all faculty, staff and service accounts to a 90-day password reset cycle, with a history of 6. We are considering a minimum password age of 2 days, but have not implemented that change yet. We recommend the password to be a minimum of 8, but no longer than 13 characters (any longer and Office365 complains, at least as of August of this year) and cannot contain three consecutive characters of their username. It also must have a capital letter and a number or symbol. It has taken a number of years to push this policy amid lots of grumbling from staff and faculty. We got buy-in from administration by explaining our reasons for implementing, we communicated the change effectively to the community and so far, have not had significant backlash. We considered having two different policies for staff and faculty, but decided it was in everyone's best interest to enforce the stricter policy (whether they believed it or not). Students have all the same requirements except the max age for their password is 180 days. No issues there either, as this is explained at orientation. While it frustrates a tiny percentage, it is an acceptably low percentage. The key is effective communication and simple explanation of the reasons why this is important. Good luck with any changes you make. Dan Daniel H. Boyd (94C) Senior Network Architect Network Operations Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 -----Original Message----- From: Mike Cunningham [mailto:mike.cunningham () PCT EDU] Sent: Friday, October 07, 2016 3:29 PM Subject: password length and required reset We current have a password length rule of 6 with a password expiration of 180 days. We are considering changing that to a length of 12 with a recommendation to use a pass phrase, and no expiration. Students can want to can change their password daily or never. We believe the longer length requirement will make the password so much stronger that the password reset is no longer needed. This change is for students ONLY. Employees will still have a password recent requirement. Thanks Mike Cunningham VP of Information Technology Services/CIO Pennsylvania College of Technology
Current thread:
- Re: password length and required reset, (continued)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Justin Store (Oct 11)
- Re: password length and required reset Adam Maynard (Oct 11)
- Re: password length and required reset Drews, Jane E (Oct 12)
- Re: password length and required reset Mike Cunningham (Oct 12)
- Re: password length and required reset Haas, Mike (Oct 12)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset Flynn, Gary - flynngn (Oct 10)
- Re: password length and required reset randy (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Barnes, William (Oct 10)
- Re: password length and required reset Brad Judy (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Dale Lee (Oct 10)