Main Nav


At Hamilton College we are considering the use of very long, simple passwords in lieu of those that are short and very complex. If you currently require long passwords (12 char or greater) at your institution, we would be grateful if you could answer the following questions.


  1. How did you prepare your campus for the use of long passwords?

  2. What resistance did you face from your community and how was it ultimately resolved?
  3. What is the minimum number of characters you require? Why?

  4. Has your use of long passwords improved password security (e.g. users aren’t writing them on post-it notes)?


Dave

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Comments

Dave,

 

At Utica College we are considering the use of longer passwords.  In addition we are considering lengthening the expiration time between changes.

 

Last year I did a survey asking preference of short complex passwords and passphrases (8 character passwords vs. 15 character passphrases). A large majority of people preferred the short complex password.

This year I asked a similar but different question at a new hire orientation.  Almost everyone said they would prefer a longer password, if it meant they could change it less often.

I plan on exploring this in more depth over the course of the next couple months.

 

James Farr

 

From: "David Smallen" <dsmallen@HAMILTON.EDU>

  1. How did you prepare your campus for the use of long passwords?

  2. What resistance did you face from your community and how was it ultimately resolved?
  3. What is the minimum number of characters you require? Why?

  4. Has your use of long passwords improved password security (e.g. users aren’t writing them on post-it notes)?

-----------

Hi Dave, 

We are in the midst of rolling out longer pass phrases to replace our previous 8 character passwords as part of a larger effort to ensure that we are InCommon Bronze or Silver compliant. 

The big picture of the importance of authentication and authorization was discussed with our faculty/staff IT Policy Committee in December 2012, including the foreshadowing of upcoming changes for longer passwords and password expiration.  There's a link to the presentation at iam.uwm.edu

A pilot group then began quietly testing longer passwords with each of our many distributed systems to see what, if anything, would break. 

The longer password effort got underway in earnest in April 2013 when the CIO's Cabinet (his direct reports) officially approved the effort going public. 

Another discussion focusing specifically on longer passwords was held with the faculty/staff IT Policy Committee at their May 2013 meeting. A major "selling factor" was that new passphrases would be easier to remember than obtuse 8 character passwords of random characters. The committee members were shown how the password change process would automatically check new phrases for "guessability" as they were entered via a bar graph that changed from red to green. 

Also in May 2013, the members of the CIO's Cabinet changed their own passwords to the new criteria, i.e., we ate our own dog food. A demonstration was also done for the many distributed IT staff across campus and they were invited to aid in the testing effort. As a result of their help, the maximum permissible length was reduced from 50 to 32 characters.

Testing with users and systems continued through,out the summer and a general campus news announcement was made on August 30th that pass phrases would be available, but not required for all users on September 16th.

The gist of the announcement was that for the near term, all current 8-character passwords would continue to be valid until changed. After Sept. 16, all newly-issued IDs would require a 10-32 character password. Known passwords could be changed to longer pass phrases in real time by anyone who wished to do so. 

There has not been much push back because the new passphrases are optional for the existing community (unless someone's account is compromised) and new users don't know any differently. 

We are still at this stage and have just begun the process of determining what password expiration schedule is right for us. Currently, our passwords, like diamonds, are forever. In February, we will begin having this discussion with our IT Policy Committee. Password expiration will obviously "force" everyone to move to the longer pass phrases at some point in the not too distant future. 

These are just two components of the overall Identity & Access Management Roadmap developed by Chris Spadanuda and his team. 

- David

David Stack, PhD
Chief Operating Officer and Deputy CIO
University IT Services
University of Wisconsin-Milwaukee
414-229-5371
david@uwm.edu


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Forwarding this from IU’s Chief Security Officer, and adding that we’ve had good experience in the move to Passphrases over other historical approaches.   --Brad

 

Dear David,

 

Indiana university implemented passphrases in a phased approach.  We began planning in 2006 and implemented them in October 2007.  It began with a technical review: could our systems handle the longer passphrases?  Once we completed the review and determined it was technically feasible, we solicited input from our faculty council technology sub-committees and then began spreading the word that the change was coming through our department and university-wide news releases.  We also had a faculty member create a video like this one (http://protect.iu.edu/cybersecurity/safeonline/passphrases) illustrating the importance of passphrases.  Having the faculty see this from one of their own helped a lot.  We informed the faculty, staff, and students that existing accounts could keep their existing passwords.  New accounts would have to comply with a longer passphrase. Also, anyone that forgot their password would have to create a new passphrase with the longer requirements.

 

Passphrases must contain at least 15 characters.  For a full description of our passphrase requirements, see http://kb.iu.edu/data/acpu.html. Initially, folks had a difficult time grasping the concept of a passphrase; they thought we just increased the length requirement and that they still needed to enter all sorts of special characters and jumbled letters to make up their passphrase.

 

At first, we did not encounter much resistance at all from faculty, staff, or students since they could keep their existing passwords.  However, in 2012, we altered our policy such that any password or passphrase that had not been changed in the last 2 years had to then be reset, and reset to the 15 characters or more passphrase requirement.  At this point, we could say this is not a new policy at all, but rather that they just now had to abide by a policy that had been 5 years old.  Once again, we used news releases and meetings with various committees and faculty councils to help allay concerns. 

 

We don't have any hard data that use of passphrases has helped reduce security breaches but we can say that we aren't seeing any successful intrusions of malevolent users trying to brute force passphrases.

 

We wish you the best in your efforts to implement passphrases and are happy to loan you guidance from our experience.

 

Regards,

Tom

 

--

Tom Davis, CISSP, CISM

Chief Security Officer

Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis

 

 

Thanks Brad

On 11/1/2013 3:33 PM, Wheeler, Bradley C wrote:

Forwarding this from IU’s Chief Security Officer, and adding that we’ve had good experience in the move to Passphrases over other historical approaches.   --Brad

 

Dear David,

 

Indiana university implemented passphrases in a phased approach.  We began planning in 2006 and implemented them in October 2007.  It began with a technical review: could our systems handle the longer passphrases?  Once we completed the review and determined it was technically feasible, we solicited input from our faculty council technology sub-committees and then began spreading the word that the change was coming through our department and university-wide news releases.  We also had a faculty member create a video like this one (http://protect.iu.edu/cybersecurity/safeonline/passphrases) illustrating the importance of passphrases.  Having the faculty see this from one of their own helped a lot.  We informed the faculty, staff, and students that existing accounts could keep their existing passwords.  New accounts would have to comply with a longer passphrase. Also, anyone that forgot their password would have to create a new passphrase with the longer requirements.

 

Passphrases must contain at least 15 characters.  For a full description of our passphrase requirements, see http://kb.iu.edu/data/acpu.html. Initially, folks had a difficult time grasping the concept of a passphrase; they thought we just increased the length requirement and that they still needed to enter all sorts of special characters and jumbled letters to make up their passphrase.

 

At first, we did not encounter much resistance at all from faculty, staff, or students since they could keep their existing passwords.  However, in 2012, we altered our policy such that any password or passphrase that had not been changed in the last 2 years had to then be reset, and reset to the 15 characters or more passphrase requirement.  At this point, we could say this is not a new policy at all, but rather that they just now had to abide by a policy that had been 5 years old.  Once again, we used news releases and meetings with various committees and faculty councils to help allay concerns. 

 

We don't have any hard data that use of passphrases has helped reduce security breaches but we can say that we aren't seeing any successful intrusions of malevolent users trying to brute force passphrases.

 

We wish you the best in your efforts to implement passphrases and are happy to loan you guidance from our experience.

 

Regards,

Tom

 

--

Tom Davis, CISSP, CISM

Chief Security Officer

Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis

 

 

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.