Main Nav

At our small and lightly-staffed main office, we have a problem with our Active Directory password reset policy and staff using mobile devices (particularly more than one). Security policy requires an AD password reset every 30 days. Staff (usually) remember (with reminders) to take care of that on their desktop computers. But on their iphones/blackberries/ipads, where they also have to enter the new password both for wifi settings and for their email accounts, they almost never remember. Or they remember on one device and not the others. So the device tries to connect and tries to connect, using the old password, and they are then locked out for too many attempts. They call our (extremely small--one person) tech support to help, and wasted time and hurt feelings ensue. Does anyone have a clever solution for this? Or suggestions? Thanks! Joe -- Joseph Ugoretz, PhD Associate Dean and CIO Teaching, Learning and Technology Macaulay Honors College The City University of New York 35 West 67th St. New York, New York 10023 TEL 212-729-2920 FAX 212-580-8130 macaulay.cuny.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from dthibeau@post03.curry.edu

Joe, Consider changing from a 30 day policy to something much longer, but enforce more complex passwords. The auditors would probably be okay with that, as long as the complexity were strong enough. That would certainly decrease the number of calls, because the passwords would change less often. Good luck!
Joe,
 
I agree with Dennis.  Our auditors are comfortable with every 90 days.  We've had lots of debate over changing them at all, but until our auditors are comfortable with it, we'll keep changing them.  They have to be 8 characters and at least 1 number and one letter.  Please are use to them and the employees get an email message from me (automated) that reminds them 30 days, 15 days, 5 days and 1 day from expiration.
 
Dave

 
David Hoyt
Chief Information Systems Officer
 
  Collin College     
  Collin Higher  Education Center
  3452 Spur 399
  McKinney, TX  75069
 
P - 972.599.3133   F - 972.599.3131
>>> On 9/21/2012 at 7:46 AM, in message <256D85DE-D295-4C0A-A2AD-DE53B9946513@mhc.cuny.edu>, Joseph Ugoretz <joseph.ugoretz@MHC.CUNY.EDU> wrote:
At our small and lightly-staffed main office, we have a problem with our Active Directory password reset policy and staff using mobile devices (particularly more than one).  Security policy requires an AD password reset every 30 days.  Staff (usually) remember (with reminders) to take care of that on their desktop computers.

But on their iphones/blackberries/ipads, where they also have to enter the new password both for wifi settings and for their email accounts, they almost never remember.  Or they remember on one device and not the others.  So the device tries to connect and tries to connect, using the old password, and they are then locked out for too many attempts.  They call our (extremely small--one person) tech support to help, and wasted time and hurt feelings ensue.

Does anyone have a clever solution for this?  Or suggestions?

Thanks!

Joe

--
Joseph Ugoretz, PhD
Associate Dean and CIO
Teaching, Learning and Technology

Macaulay Honors College
The City University of New York
35 West 67th St.
New York, New York 10023
TEL 212-729-2920
FAX 212-580-8130
macaulay.cuny.edu


**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Joe, I am guessing you don't have Enforce Password History turned on. If you have this turned on, for example with a count of 3 passwords in history, then attempts by the phone to use one of these invalid passwords will not let the user access the service, but it also will not increment the badPwdCount so it will not lead to a lockout situation. In my experience, the user eventually realizes they need to update their password on their phone, and the help desk doesn't need get involved with unlocking accounts. Other than that, I agree with several other responders that password complexity is worth more than frequency of change, and I would push for a longer age. Richard Toeniskoetter Executive Director, Information Technology University of Southern Indiana 812-464-1733
Thanks, all. While I would love to change passwords every 6 months (or more), that security policy is set centrally, not at our campus. But I do think that I can make 90 days acceptable, in combination with stronger passwords, as you suggest. Enforce password history also sounds like it will help a lot! I appreciate the suggestions. Joe Joseph Ugoretz, PhD Associate Dean and CIO Teaching, Learning and Technology Macaulay Honors College City University of New York macaulay.cuny.edu
The Enforce Password History Group Policy setting is to ensure users don't reuse passwords too frequently: Enforce password history This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. Jef Director of Core Systems Information Technology Services Washington and Lee University -----Original Message----- From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joseph Ugoretz Sent: Friday, September 21, 2012 10:10 AM To: CIO@LISTSERV.EDUCAUSE.EDU Subject: Re: [CIO] Password resets (AD) and Mobile Devices Thanks, all. While I would love to change passwords every 6 months (or more), that security policy is set centrally, not at our campus. But I do think that I can make 90 days acceptable, in combination with stronger passwords, as you suggest. Enforce password history also sounds like it will help a lot! I appreciate the suggestions. Joe Joseph Ugoretz, PhD Associate Dean and CIO Teaching, Learning and Technology Macaulay Honors College City University of New York macaulay.cuny.edu