Main Nav

I'm not a security expert, but we do have some pretty good ones for both policy and security. IU has not pursed the path of requiring short password change intervals as this can further open exasperate opportunities for social engineering where users feel compelled to record their latest, latest password in some less secure place. Others may have different views regarding what is effective. We've focused on Pass Phrases with longer length of at least 15 characters and two factor for systems that handle secure data. More at http://kb.iu.edu/data/acpu.html --Brad ------------------------------------------------------------------ IU Vice President for IT & CIO, Dean, and Professor Indiana University, http://ovpit.iu.edu 

Comments

We are taking much the same approach at Reed College.  Longer passphrases and two factor authentication (using one-time codes for high security applications) decrease the burden on users while improving security.  Expiring passwords seems like low-hanging fruit for IT organizations but a headache for users (with questionable efficacy given the most likely vectors for credential compromise....)

Marty

=================================
Martin Ringle, Chief Information Officer   
Reed College, Portland, OR 97202          
503-777-7254   email:   cio@reed.edu                          
=================================


That is precisely where we want to go.  Our problem is making sure that whatever we do will pas muster with our auditors.  I wish I could present them with a proposal and have them say yay or nay, but they tell me that if they give us advice they then can not audit  us on that topic.

Was there resistance on your campus to the longer phrases?  I have mentioned it to people here and let’s just say they were not enthusiastic…

  —Bret



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

365 days except for sysadmins

Went to 365 when we changed to passphrase with length of 15-30 characters

see http://www.uni.edu/its/support/article/706

see -28.75% impact on our help center trends at

http://www.uni.edu/its/services/statistics/computer-consulting-center-statistics
Director, ITS - User Services University of Northern Iowa 36 ITTC Building Cedar Falls, IA 50614-0522 Phone: 319-273-6460 fax: 319-273-2517 "For deaf or hard of hearing, use Relay 711" Website: http://www.uni.edu/peterson "The University of Northern Iowa provides transformative learning experiences that inspire students to embrace challenge, engage in critical inquiry and creative thought, and contribute to society." On 3/4/2014 10:04 AM, Martin Ringle wrote:
We are taking much the same approach at Reed College.  Longer passphrases and two factor authentication (using one-time codes for high security applications) decrease the burden on users while improving security.  Expiring passwords seems like low-hanging fruit for IT organizations but a headache for users (with questionable efficacy given the most likely vectors for credential compromise....)

Marty

=================================
Martin Ringle, Chief Information Officer   
Reed College, Portland, OR 97202          
503-777-7254   email:   cio@reed.edu                          
=================================


Bret-

The selling point for longer passphrases is that they can be more mnemonic as well as harder to crack.  Some people get that, some people don't.

The auditor problem is indeed a thorny issue.  Despite the fact that IT security experts have energetically debated password expiration for the past few years --- and many top people feel that there more effective and less onerous strategies should take precedence --- auditors tend to stick with the traditional "accepted wisdom" and there's not much point in arguing about it when your institution is undergoing an audit.  Hopefully, auditors will eventually revisit this issue and, perhaps in conjunction with EDUCAUSE security experts, arrive at a better assessment matrix.

Marty
 
=================================
Martin Ringle, Chief Information Officer   
Reed College, Portland, OR 97202          
503-777-7254   email:   cio@reed.edu                          
=================================





I discussed offering passphrases, with less complex rules.  There was concern that if I knew a user well I would more likely be able to guess their password.  What if they are always singing a lyric or giving movie quotes.

 

Has this concern been brought up in your pre/post planning meetings?

What password complexity are people using wit passphrases?

 

James Farr

Utica College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Martin Ringle
Sent: Tuesday, March 4, 2014 12:00 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: Quick poll -- The Right Question?

 

Bret-

 

The selling point for longer passphrases is that they can be more mnemonic as well as harder to crack.  Some people get that, some people don't.

 

The auditor problem is indeed a thorny issue.  Despite the fact that IT security experts have energetically debated password expiration for the past few years --- and many top people feel that there more effective and less onerous strategies should take precedence --- auditors tend to stick with the traditional "accepted wisdom" and there's not much point in arguing about it when your institution is undergoing an audit.  Hopefully, auditors will eventually revisit this issue and, perhaps in conjunction with EDUCAUSE security experts, arrive at a better assessment matrix.

 

Marty

 

=================================

Martin Ringle, Chief Information Officer   

Reed College, Portland, OR 97202          

503-777-7254   email:   cio@reed.edu                          

=================================

 

 



 

All,
Beyond the general weakness of passwords, one area that Internet2’s Trust and Identity efforts attempts to address through use of Federated Identity (InCommon.org) is to avoid  the reuse of passwords by having secure federation of applications.  However we have noticed that people commonly use their internal passwords for external personal cloud services or other applications that do not have may not have good security or if breached expose risk to institutional system account where the individual users reused password is now the vector of vulnerability.   

One proposed solution is broader use of password manager (http://en.wikipedia.org/wiki/Password_manager)  that is independent of the browser and incorporates support for multi factor authentication.  Internet2 campuses have suggested implementing a NET+ service with Lastpass, Roboform, Dashlane, Password Genie, SplashID, KeePass or other similar service as part of a solution where a campus provides easy deployment for such a service as yet another layer to help end users secure their personal environments which intern enhance the security of campus systems.

Regardless, after undergoing countless security audits as CIO at UC Berkeley during the past decade, my sense is that the forced password change model is a non effective item on an auditors check list.  We need to support better tool deployment and make more extensive use of multi factor authentication.  New versions that support soft token like Duo, Toopher , and many others plus physical tokens like YubiKey are really going to be part of our future.   I encourage everyone to read the materials on the FIDO Alliance (fidoalliance.org) on the direction that the industry is moving.

Regards,
Shel

Shelton Waggener
Senior Vice President, Internet2
6001 Shellmound Street, Suite 300
Emeryville, CA 94611
Office: 510-858-0880
Cell: 510-710-3360

Don’t forget to register for the Internet2 2014 Global Summit  April 6-10 in Denver Colorado. 

"There are few, if any, jobs in which ability alone is sufficient. Needed, also, are loyalty, sincerity, enthusiasm and team play."
-- William B. Given Jr.



Brad has hit the nail on the head I think; we have gone to two factor for systems that handle sensitive data which gives us the equivalent of a 14 character password which changes every minute. For everything else - we are much more relaxed - passwords are 8 characters and have to change every six months.
Umbc uses the NIST guidelines, 800-63, which provides auditors with evidence that you can maintain security without mandatory password changes. There is a spreadsheet developed by NIST that calculates password strength for varying criteria, including mandatory change time. The spreadsheet shows the key variable is the range of characters you require. Finally, like Tim and shel, UMBC is going towards second factor for most power users using the Incommon second factor solutions Thanks Jack Suess UMBC Division of Information Technology (DoIT) >
60 days for us for most users JP Peters College of Sciences University of Central Florida Sent from my iPhone >
This has been a great thread today on the topic of reducing risks associated with compromised accounts. I just tried to play catch-up in the last 15 minutes. We currently are annual resets with a renewed focus on stronger/longer passwords and/or more frequent resets and/or multi-factor for accounts with access to sensitive information. Exact implementation TBD in the very near future. With regard to phishing, isn¹t the ONLY answer multi-factor? Whether its an 8 character password or a 15 character passphrase (and regardless of strength) if someone is going to get fooled into giving it up isn¹t length or strength irrelevant? Also, isn¹t the refresh rate largely irrelevant with phishing? Seems like when I see someone fooled by phishing his/her account begins spamming pretty quickly so resetting it every 60 days or every year won¹t change things in that world unless I am missing something. Increased user education, combined with some method of extra validation for communication that really do come from campus IT are going to be key. ŠJustin -------- Justin Sipher Vice President of Libraries & Information Technology St. Lawrence University jsipher@stlawu.edu twitter.com/justinsipher
There have been past discussions on this list about password aging (forcing the change of a password based solely on time) vs password strength (character types, length, etc). They are two different types of defenses for two different types of attacks. I personally think password strength to be much more important than aging. You should also consider reactive vs preventative defense. Both are important, but it is sometimes much easier to react. For example, watching logs and quickly automatically suspending accounts for sending too much email can catch and mitigate account compromise, in many cases more effectively than preventing the compromise in the first place. Rather than concentrate on one specific issue (aging in this case), you want to consider your overall security posture in context, and adjust to the extent needed. Bob Robert Goldstein Director Office of Information Technology Pitzer College 1050 N Mills Ave. Claremont CA 91711 On 3/4/14 7:15 AM, "Wheeler, Bradley C" wrote: >I'm not a security expert, but we do have some pretty good ones for both >policy and security. IU has not pursed the path of requiring short >password change intervals as this can further open exasperate >opportunities for social engineering where users feel compelled to record >their latest, latest password in some less secure place. Others may have >different views regarding what is effective. > >We've focused on Pass Phrases with longer length of at least 15 >characters and two factor for systems that handle secure data. > >More at http://kb.iu.edu/data/acpu.html > >--Brad >------------------------------------------------------------------ >IU Vice President for IT & CIO, Dean, and Professor >Indiana University, http://ovpit.iu.edu > > > >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.