Main Nav

Message from cruch@fsmail.bradley.edu

At Bradley, we use the PCI requirements to define how often we require password changes.  In the PCI requirements it says:
8.5.9 Change user passwords at least every 90 days.
The last discussion we had here about password change frequency a number of schools indicated they had longer password life than these 90 days.  For those of you with longer password life, can you tell me how you handle the PCI requirement?  For example, do you have different requirements for PCI 'people' than for others?

Thanks in advance,
Chuck

-- 
***************************************************
J. C. "Chuck" Ruch
Associate Provost for IRT/CIO
Bradley University
Office (309) 677-3100
Cell (309) 370-7104, Fax - (309) 677-3092
cruch@bradley.edu






********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

You may want to check out the thread “Password Policies” from last month:

 

http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind1209&L=CIO

 

The discussion was about password expiration, but it wasn’t PCI-specific.  These comments stand out:

 

Chris Boniforti:

 

“@Lynn University we decided to do the password policy by groups and depending on what type of access these groups have.  For instance, any staff/faculty with access to financials, IT and other deemed sensitive information or access are in the 90 day group (also satisfied our financial auditors), faculty are in the every semester group or 180 days group and some few individuals are in the 360 day group.  This has worked fairly well for us.”     Rich Kogut:   “When I was at Georgetown and then at UC Merced, we went with no expiration (but stringent standards, password locking after failed attempts, etc.). I had an interesting fight with what was then Price Waterhouse auditors at the time at Georgetown who were pushing back against the policy. I showed them a research article from Gartner questioning the  wisdom of requiring periodic password changes, citing anecdotal evidence of folks putting their recently changed passwords on sticky notes on their monitors, etc., and challenged them to find a single piece of research that supported any value in changing passwords.
After many months, they failed to do so. They did find a paragraph somewhere, that if I remember correctly, said that computer users benefiting from federal grants needed to follow the NIST guidelines, and those guidelines do require periodic password changes (but still without any real basis for it). So the irony was that the auditors, who were looking at administrative system security, pretty much only came up with a requirement (but no other justification) that researchers change their passwords periodically. Good luck with that.”  

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

 

PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually? 

Thanks!

Mark

______________________________________________
Mark Staples
Vice President & Chief Information Officer
Wentworth Institute of Technology
Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115
Office Phone: 617-989-4592 | Mobile: 617-543-4184
email: staplesm@wit.edu | Twitter: markstaples_cio
______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

I had advocated not expiring at all, in general.  But I would absolutely make exceptions for special accounts, either due to legal/audit requirements, or because some accounts are just too powerful.  For example, we protect our sysadmin accounts with SecuriID, which effectively changes the "password" every minute.  Exceptions for PCI seem reasonable to me.

Password aging and password complexity defend against *different* attacks.  You cannot fully trade one off against the other.  If you increase the complexity (to defend against guessing attacks), the password can still be compromised by social engineering or web malware.  Aging, if properly done, can defend somewhat against these two as well.   You absolutely need a reasonably complex password, but you need other defenses in addition; aging may or may not be a good choice in your envionment.

Bob Goldstein



On 10/23/2012 01:57 PM, Staples, Mark wrote:
PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually? 

Thanks!

Mark

______________________________________________
Mark Staples
Vice President & Chief Information Officer
Wentworth Institute of Technology
Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115
Office Phone: 617-989-4592 | Mobile: 617-543-4184
email: staplesm@wit.edu | Twitter: markstaples_cio
______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

Message from cruch@fsmail.bradley.edu

To clarify: I have read recent posts.  I'm specifically looking fro someone who has addressed the PCI requirement that passwords be changed every 90 days but has a longer than 90 day password life for your school.  

Do you treat the PCI group with separate password life requirements?
Chuck

-- 
***************************************************
J. C. "Chuck" Ruch
Associate Provost for IRT/CIO
Bradley University
Office (309) 677-3100
Cell (309) 370-7104, Fax - (309) 677-3092
cruch@bradley.edu








Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.