Re: password length and required reset

[Brad Judy <brad.judy () CU EDU>]

Agreed, use of mutually exclusive password policies can address this issue as well.  

Brad Judy
 
Information Security Officer
Office of Information Security
University of Colorado 
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu <http://www.cu.edu/>
 

 



On 10/10/16, 9:33 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Steven Alexander" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of steven.alexander () KCCD EDU> wrote:

    Brad,
    
    Password reuse is obviously a problem but I think you can largely prevent this by using stronger password 
requirements.  Most sites still require only 6-8 character passwords.  If you require much longer passwords (e.g. 15 
characters), it will be much less likely that users will reuse passwords from other sites because they won't meet the 
requirements.  If you can implement a filter, blacklisting common and previously cracked passwords would also help.
    
    Regards,
    
    Steven Alexander
    Director of IT Security
    Kern Community College District
    (661) 336-5111
    
    -----Original Message-----
    From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad 
Judy
    Sent: Monday, October 10, 2016 7:19 AM
    To: SECURITY () LISTSERV EDUCAUSE EDU
    Subject: Re: [SECURITY] password length and required reset
    
    Most of the services you mention offer opt-in, or mandatory, multifactor authentication and many have pretty 
advanced automated systems for detecting suspicious logins/activities.  
    
    That said, the only reason I like limited password life for our industry is because it ensures people don’t use the 
same passwords for our systems as third-party systems.  If you have to change your password once every 6-12 months at 
your EDU, it’s unlikely you run around changing your password elsewhere to match.  
    
    At its root, password expiration is a control to address an undetected, unrepeatable compromise of credentials.  If 
the attack is detected, you can force a password reset.  If the attack is repeatable (like phishing or a keylogger), 
then the attacker can get the new password as well.  Some of the origins are in the idea of an attacker stealing your 
password store and cracking it, but these days the more common version of the threat is someone stealing an external 
password store, cracking it and then using the email/password combo to attack their email account (and related 
accounts).  
    
    If you want to have immortal passwords, then ask yourself what detection and response capabilities you have, as 
well as your options for stronger authentication mechanisms where appropriate.  
    
    Brad Judy
     
    Information Security Officer
    Office of Information Security
    University of Colorado 
    1800 Grant Street, Suite 300
    Denver, CO  80203
    Office: (303) 860-4293
    Fax: (303) 860-4302
    www.cu.edu <http://www.cu.edu/>
     
    
     
    
    
    
    On 10/10/16, 7:09 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Mike Cunningham" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of mike.cunningham () PCT EDU> wrote:
    
        Thanks for the feedback. 
        
        How do you counter the argument that no other online service that requires passwords have any set time limit on 
a password, and they are sites with much more sensitive information. Bank sites, credit card sites, amazon, paypal, 
gmail, yahoo, Hotmail, outlook.com phone companies, Netflix, etc. I can't think of any service that I have myself that 
requires me to change a password on a regular basis and that is how students view us, as just another online service.  
I am 100% in favor of employees needing to reset a password since their access gives them access to other peoples data 
but for students they only have access to their own data so password mismanagement only puts their own data at risk, 
just like on any of those other services.    
        
        Mike Cunningham
        
        -----Original Message-----
        From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Boyd, Daniel
        Sent: Monday, October 10, 2016 8:42 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] password length and required reset
        
        You are correct in thinking that 12 characters will help.  If you run passwords through most any analyzer, that 
12th character adds a tremendous amount of time to the decryption process... but will not help if common phrases, 
titles, and sequences are used.
        
        We recently moved all faculty, staff and service accounts to a 90-day password reset cycle, with a history of 
6.  We are considering a minimum password age of 2 days, but have not implemented that change yet.  We recommend the 
password to be a minimum of 8, but no longer than 13 characters (any longer and Office365 complains, at least as of 
August of this year) and cannot contain three consecutive characters of their username.  It also must have a capital 
letter and a number or symbol.
        
        It has taken a number of years to push this policy amid lots of grumbling from staff and faculty.  We got 
buy-in from administration by explaining our reasons for implementing, we communicated the change effectively to the 
community and so far, have not had significant backlash.  We considered having two different policies for staff and 
faculty, but decided it was in everyone's best interest to enforce the stricter policy (whether they believed it or 
not).
        
        Students have all the same requirements except the max age for their password is 180 days.  No issues there 
either, as this is explained at orientation.  While it frustrates a tiny percentage, it is an acceptably low percentage.
        
        The key is effective communication and simple explanation of the reasons why this is important.
        
        Good luck with any changes you make.
        
        Dan
        
        
        Daniel H. Boyd (94C)
        Senior Network Architect
        Network Operations
        Information Security Advisory Group Chair Berry College
        Phone: 706-236-1750
        Fax:     706-238-5824
        
        There are two rules to follow with your account passwords:
        1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
        2. If unsure, consult rule #1
        
        
        
        
        -----Original Message-----
        From: Mike Cunningham [mailto:mike.cunningham () PCT EDU]
        Sent: Friday, October 07, 2016 3:29 PM
        Subject: password length and required reset
        
        We current have a password length rule of 6 with a password expiration of 180 days. We are considering changing 
that to a length of 12 with a recommendation to use a pass phrase, and no expiration. Students can want to can change 
their password daily or never. We believe the longer length requirement will make the password so much stronger that 
the password reset is no longer needed. This change is for students ONLY. Employees will still have a password recent 
requirement. 
        
        Thanks
        
        
        Mike Cunningham
        VP of Information Technology Services/CIO Pennsylvania College of Technology