Main Nav

Message from ellisj@mail.strose.edu

Here is the summary of responses to my “Three Quick Questions” Password Change Policies:

 

Question

Yes

No

 

 

 

1

Do you require your users to change their passwords are a regular basis?

14

1

 

 

 

 

 

 

 

 

 

 

 

 

 

90 days

120 days

180 days

Annually

2

If so, how frequently must they be changed?

 

5

6

2

1

 

 

 

 

 

 

 

 

 

Each Term

Set Period from last change

3

Do you try to time password expirations to occur at specific times or the semester or year or is it a set period of time since the last password change?

1

14

 

-          John

 

John R. Ellis

Executive Director Information Technology Services

The College of Saint Rose

432 Western Avenue

Albany, New York 12203

518-454-5166

ellisj@strose.edu

www.strose.edu

ITS.strose.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from ingerman@vassar.edu

While there were not many responses, I find this question an interesting one.  I have always thought that requiring frequent password changes would lead to people either simply adding an incremental digit (or letter) to one of their "standard" passwords, or resorting to writing them down.  My thought has always been that I would rather have a very hard password that they do not have to frequently change, then a password (hard or not) that needs to be changed as frequently as 90 days.  

I wonder what the rest of you think.

  --Bret


I definitely think my campus would appreciate a harder password that does not require frequent changes.  However, the external auditor checklist and standards  seems to emphasize frequent changes, so that drives the change requirement for us.

Theresa

Message from greg.mcculloch@sic.edu

Bret,

 

I agree we require a fifteen + character pass phrase(jingle they can remember) but do not regularly force pw changes unless we have cause (knowledge they shared a pw with others, etc.). Now, we rarely find passwords written underneath keyboards or even worse, posted directly on the monitor.

 

Greg

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bret Ingerman
Sent: Monday, September 19, 2011 1:48 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Results from "Three Quick Questions" - Password Change Policies

 

While there were not many responses, I find this question an interesting one.  I have always thought that requiring frequent password changes would lead to people either simply adding an incremental digit (or letter) to one of their "standard" passwords, or resorting to writing them down.  My thought has always been that I would rather have a very hard password that they do not have to frequently change, then a password (hard or not) that needs to be changed as frequently as 90 days.  

 

I wonder what the rest of you think.

 

  --Bret

 

 

My campus would hate "strong" passwords.  I had to force my techies to "simplify" the temp passwords we give to guest accounts.

Ken Schindler/SVSU


From: "Theresa Rowe" <rowe@OAKLAND.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Monday, September 19, 2011 2:52:49 PM
Subject: Re: [CIO] Results from "Three Quick Questions" - Password Change Policies

I definitely think my campus would appreciate a harder password that does not require frequent changes.  However, the external auditor checklist and standards  seems to emphasize frequent changes, so that drives the change requirement for us.

Theresa

I agree.  Hard passwords but if you make people change it frequently, like once a year or more, it will get written down and taped on the bottom of the keyboard.

Keith Nelson
Chief Technology Officer
Alma College


From: "Bret Ingerman" <ingerman@VASSAR.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Monday, September 19, 2011 2:47:47 PM
Subject: Re: [CIO] Results from "Three Quick Questions" - Password Change Policies

While there were not many responses, I find this question an interesting one.  I have always thought that requiring frequent password changes would lead to people either simply adding an incremental digit (or letter) to one of their "standard" passwords, or resorting to writing them down.  My thought has always been that I would rather have a very hard password that they do not have to frequently change, then a password (hard or not) that needs to be changed as frequently as 90 days.  

I wonder what the rest of you think.

  --Bret


Message from ingerman@vassar.edu

Theresa:

When I talked about this strategy with the auditor this year, I did not get the sense that they would prefer frequent changes to hard passwords that don't change as often (if at all).
On Sep 19, 2011, at 2:52 PM, Theresa Rowe wrote:

I definitely think my campus would appreciate a harder password that does not require frequent changes.  However, the external auditor checklist and standards  seems to emphasize frequent changes, so that drives the change requirement for us.

Theresa

When you say auditor, do you mean a data security auditor? If so, who have you used? Is this an annual process?

 

Thanks for your help.

 

Brent Harris

Associate Vice President for Information Technology

Office 254-295-4658 Fax 254-295-4221

UMHB Box 8005 900 College Street Belton, Texas 76513

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bret Ingerman
Sent: Monday, September 19, 2011 4:16 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Results from "Three Quick Questions" - Password Change Policies

 

Theresa:

 

When I talked about this strategy with the auditor this year, I did not get the sense that they would prefer frequent changes to hard passwords that don't change as often (if at all).

On Sep 19, 2011, at 2:52 PM, Theresa Rowe wrote:



I definitely think my campus would appreciate a harder password that does not require frequent changes.  However, the external auditor checklist and standards  seems to emphasize frequent changes, so that drives the change requirement for us.

Theresa

The SOP for Norwich was 90, it was changed to 180 by our CISO.  However, there is no functional difference, given the required password length and complexity, between 90 and 180 day change cycles.  This is a myth that is not supported by mathematical facts.  However, that is not the real question.  The real question is whether passwords are the appropriate answer at all.  And the answer to that is no.  Some sort of token or single use password is the best solution.  However, that probably is not practical here.  A solution we would like to work towards would be a campus wide Single Sign On (SSO) solution.  Ultimately have everything tied to that network logon and add a token or two factor authentication option.

 

Joe

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bret Ingerman
Sent: Monday, September 19, 2011 5:16 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Results from "Three Quick Questions" - Password Change Policies

 

Theresa:

 

When I talked about this strategy with the auditor this year, I did not get the sense that they would prefer frequent changes to hard passwords that don't change as often (if at all).

On Sep 19, 2011, at 2:52 PM, Theresa Rowe wrote:



I definitely think my campus would appreciate a harder password that does not require frequent changes.  However, the external auditor checklist and standards  seems to emphasize frequent changes, so that drives the change requirement for us.

Theresa

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.