Educause Security Discussion mailing list archives
Re: 802.1X password reset issues
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Wed, 14 Nov 2018 19:08:45 -0500
We had the same problem and the same complaints around this time last year. After some investigoogling, I came across this article: https://ravingroo.com/295/active-directory-account-lockout-policy-threshold-counter-strong-password/ What the author said made sense to us, so we decided to give it a try, and set our Active Directory policy to the values the article recommends: Account lockout duration: 5 minutes Account lockout threshold: 50 invalid logon attempts Reset account lockout counter after: 1 minute We haven't had any complaints since (nor have we seen anything to suggest that what the author says is incorrect). We chose not to follow the author's other suggestion to abandon the lockout policy all together, mostly because we figured the auditors would just make us put it back. :-) -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.curry () newschool edu On Wed, Nov 14, 2018 at 3:37 PM Pardonek, Jim <jpardonek () luc edu> wrote:
We are getting some grumbling from several staff that get into a password lockout condition when changing their twice a year required password. We mostly see this when people have multiple devices connected to the wireless network and they forget one of them and it locks out from re-auth requests or if they don’t change the password for their email client and that locks us out. We have recommended procedures (turn off all devices but one and re-do the password one at a time). We’ve tried to make it less painful by upping the number of failed password attempts before it locks out, but I don’t want to get to a point where we sacrifice security for convenience. Any any of you folks have similar issues and what have you done to make it easier? Thanks, Jim *James Pardonek, MS, CISSP, CEH, GSNA* *Information Security Officer* * Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 * * (**: (773) 508-6086* *Loyola University Chicago will never ask you for your username or password.* *For the lastest information security news at Loyola, please follow us online,* *Twitter: @LUCUISO* *Facebook: https://www.facebook.com/lucuiso/ <https://www.facebook.com/lucuiso/>* *Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>*
Current thread:
- 802.1X password reset issues Pardonek, Jim (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)
- Re: 802.1X password reset issues William Clark (Nov 14)
- Re: 802.1X password reset issues Brian Epstein (Nov 14)
- Re: 802.1X password reset issues David Curry (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)