Password Change Frequency - PCI

Posted by listserv-anon on October 23, 2012

Message from cruch@fsmail.bradley.edu

At Bradley, we use the PCI requirements to define how often we require password changes. In the PCI requirements it says:

8.5.9 Change user passwords at least every 90 days.

The last discussion we had here about password change frequency a number of schools indicated they had longer password life than these 90 days. For those of you with longer password life, can you tell me how you handle the PCI requirement? For example, do you have different requirements for PCI 'people' than for others?

Thanks in advance,

Chuck

***************************************************
J. C. "Chuck" Ruch
Associate Provost for IRT/CIO
Bradley University
Office (309) 677-3100
Cell (309) 370-7104, Fax - (309) 677-3092
cruch@bradley.edu

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Post a Comment

Comments

You may want to check out the thread “Password Policies” from last month:

http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind1209&L=CIO

The discussion was about password expiration, but it wasn’t PCI-specific. These comments stand out:

Chris Boniforti:

“@Lynn University we decided to do the password policy by groups and depending on what type of access these groups have. For instance, any staff/faculty with access to financials, IT and other deemed sensitive information or access are in the 90 day group (also satisfied our financial auditors), faculty are in the every semester group or 180 days group and some few individuals are in the 360 day group. This has worked fairly well for us.” Rich Kogut: “When I was at Georgetown and then at UC Merced, we went with no expiration (but stringent standards, password locking after failed attempts, etc.). I had an interesting fight with what was then Price Waterhouse auditors at the time at Georgetown who were pushing back against the policy. I showed them a research article from Gartner questioning the wisdom of requiring periodic password changes, citing anecdotal evidence of folks putting their recently changed passwords on sticky notes on their monitors, etc., and challenged them to find a single piece of research that supported any value in changing passwords.
After many months, they failed to do so. They did find a paragraph somewhere, that if I remember correctly, said that computer users benefiting from federal grants needed to follow the NIST guidelines, and those guidelines do require periodic password changes (but still without any real basis for it). So the irony was that the auditors, who were looking at administrative system security, pretty much only came up with a requirement (but no other justification) that researchers change their passwords periodically. Good luck with that.”

Steven Alexander Jr.

Online Education Systems Manager

Merced College

Posted by: alexander.s@mccd.edu on October 23, 2012

PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually?

Thanks!

Mark

______________________________________________

Mark Staples

Vice President & Chief Information Officer

Wentworth Institute of Technology

Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115

Office Phone: 617-989-4592 | Mobile: 617-543-4184

email: staplesm@wit.edu | Twitter: markstaples_cio

LinkedIn: http://www.linkedin.com/in/markallenstaples

blog: http://blogs.wit.edu/cio

http://www.wit.edu

Publication: Making Room for Yes: It Starts at the Top

______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

Posted by: markallenstaples on October 23, 2012

I had advocated not expiring at all, in general. But I would absolutely make exceptions for special accounts, either due to legal/audit requirements, or because some accounts are just too powerful. For example, we protect our sysadmin accounts with SecuriID, which effectively changes the "password" every minute. Exceptions for PCI seem reasonable to me.

Password aging and password complexity defend against *different* attacks. You cannot fully trade one off against the other. If you increase the complexity (to defend against guessing attacks), the password can still be compromised by social engineering or web malware. Aging, if properly done, can defend somewhat against these two as well. You absolutely need a reasonably complex password, but you need other defenses in addition; aging may or may not be a good choice in your envionment.

Bob Goldstein

On 10/23/2012 01:57 PM, Staples, Mark wrote:

PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually?

Thanks!

Mark

______________________________________________

Mark Staples

Vice President & Chief Information Officer

Wentworth Institute of Technology

Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115

Office Phone: 617-989-4592 | Mobile: 617-543-4184

email: staplesm@wit.edu | Twitter: markstaples_cio

LinkedIn: http://www.linkedin.com/in/markallenstaples

blog: http://blogs.wit.edu/cio

http://www.wit.edu

Publication: Making Room for Yes: It Starts at the Top

______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

Posted by: bobg on October 23, 2012

Message from cruch@fsmail.bradley.edu

To clarify: I have read recent posts. I'm specifically looking fro someone who has addressed the PCI requirement that passwords be changed every 90 days but has a longer than 90 day password life for your school.

Do you treat the PCI group with separate password life requirements?

Chuck

Posted by: listserv-anon on October 23, 2012

Main Nav

Publications

Research

Major Conferences

Online Events

Special Topic Events

Events for all Levels and Interests

Career Center

Leadership and Management Programs

Fellowships and Awards

Getting Involved

Jump Start Your Career Growth

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

Join These Programs If Your Focus Is

From the Blogs

Find Others

Share Ideas

Get on the Higher Ed IT Map

2013 Strategic Priorities

Membership

Who We Are

Stay Informed

Uncommon Thinking for the Common Good™