Main Nav

Interesting thread.

 

Why have passwords changed on a regular or irregular interval?

 

I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.

 

By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.

 

Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.

 

Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you  have to watch for.

 

 

Susan Wheeler, Ed. D.

Director, Technology Services

Illinois Central College

One College Drive

East Peoria, IL 61635-0001

 

swheeler@icc.edu

Office Phone: 309-694-8855

 

Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!

 

Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

And Brett….I really want World Peace….. Best, Rob

 

Dr. Robert Paterson

Vice President – Information Technology, Planning and Research

Molloy College

Rockville Centre, NY

New Phone Numbers for Molloy College
Main number:   516-323-3000

Direct number:  516-323-4848

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of BRET INGERMAN
Sent: Wednesday, August 14, 2013 8:18 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I have greatly enjoyed this thread.  Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State.  They have made it clear that we must expire our passwords.  Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days.  Even more interesting:  once someone changes their password, they must wait 24 hours to change it again.  The reasoning is as follows:  active directory stores the last 12 passwords that you have used and will not let you reuse one of them.  If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.

 

It would be great if there really would be a consensus on password change policies.  And right after that, we can tackle world peace…

 

  --Bret

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:

 

Hi All

 

   In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often. 

 

   In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was  "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change!  So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.  


 

-- Ravi

CIO & Associate Dean for WellesleyX, Wellesley College

Google Voice - 860-631-RAVI

 

Comments

Thank you to all who responded to this thread.  They are thoughtful and helpful in my quest to develop a policy.

 

Regards,

 

Tim

Tim Carroll

Assistant Vice President for Information Technology and CIO

Roane State Community College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Susan Wheeler
Sent: Thursday, August 15, 2013 11:50 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

Interesting thread.

 

Why have passwords changed on a regular or irregular interval?

 

I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.

 

By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.

 

Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.

 

Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you  have to watch for.

 

 

Susan Wheeler, Ed. D.

Director, Technology Services

Illinois Central College

One College Drive

East Peoria, IL 61635-0001

 

swheeler@icc.edu

Office Phone: 309-694-8855

 

Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!

 

Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

And Brett….I really want World Peace….. Best, Rob

 

Dr. Robert Paterson

Vice President – Information Technology, Planning and Research

Molloy College

Rockville Centre, NY

New Phone Numbers for Molloy College
Main number:   516-323-3000

Direct number:  516-323-4848

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of BRET INGERMAN
Sent: Wednesday, August 14, 2013 8:18 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I have greatly enjoyed this thread.  Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State.  They have made it clear that we must expire our passwords.  Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days.  Even more interesting:  once someone changes their password, they must wait 24 hours to change it again.  The reasoning is as follows:  active directory stores the last 12 passwords that you have used and will not let you reuse one of them.  If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.

 

It would be great if there really would be a consensus on password change policies.  And right after that, we can tackle world peace…

 

  --Bret

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:

 

Hi All

 

   In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often. 

 

   In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was  "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change!  So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.  


 

-- Ravi

CIO & Associate Dean for WellesleyX, Wellesley College

Google Voice - 860-631-RAVI

 

I think the key to a workable policy is to keep the big picture of what you're trying to accomplish and the end user in mind. 

For passwords, you may find value in the idea of achieving a certain level of entropy, a mathematical calculation of a password's strength, and looking at the variety of components that goes into doing that. For instance, the US government (a long time ago) published  a password entropy tool where one can play a bit with the components and look how, say, a very long passphrase can reduce the requirement, say, for frequently changing passwords or lockouts. It a mix of requirements and as long as the right entropy target is met, it's good enough for the Feds. 

You can find two of these entropy calculators, the older US Government version and a new one developed by U Wisconsin Madison, at
https://spaces.internet2.edu/display/InCAssurance/Password+Entropy+Calculators. Both check against 800-63-2 NIST level 1 and 2 entropy requirements. 

BTW, if you're interested in using a best-practice doc to guide the design of your credentialing systems, check out the InCommon Assurance Profiles. A NIST-comparable standard that was written for higher ed and approved by the US Gov for federating with their agencies, you can find it at assurance.incommon.org. 

Best,
Ann

Ann West
Assistant Director,
InCommon Assurance and Community
Internet2 based at Michigan Tech
awest@internet2.edu 
office: +1.906.487.1726 

From: <Carroll>, Tim <Carrolltd@ROANESTATE.EDU>
Reply-To: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, August 15, 2013 2:03 PM
To: "CIO@LISTSERV.EDUCAUSE.EDU" <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Strong Password Management Policy

Thank you to all who responded to this thread.  They are thoughtful and helpful in my quest to develop a policy.

 

Regards,

 

Tim

Tim Carroll

Assistant Vice President for Information Technology and CIO

Roane State Community College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Susan Wheeler
Sent: Thursday, August 15, 2013 11:50 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

Interesting thread.

 

Why have passwords changed on a regular or irregular interval?

 

I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.

 

By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.

 

Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.

 

Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you  have to watch for.

 

 

Susan Wheeler, Ed. D.

Director, Technology Services

Illinois Central College

One College Drive

East Peoria, IL 61635-0001

 

swheeler@icc.edu

Office Phone: 309-694-8855

 

Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!

 

Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

And Brett….I really want World Peace….. Best, Rob

 

Dr. Robert Paterson

Vice President – Information Technology, Planning and Research

Molloy College

Rockville Centre, NY

New Phone Numbers for Molloy College
Main number:   516-323-3000

Direct number:  516-323-4848

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of BRET INGERMAN
Sent: Wednesday, August 14, 2013 8:18 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I have greatly enjoyed this thread.  Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State.  They have made it clear that we must expire our passwords.  Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days.  Even more interesting:  once someone changes their password, they must wait 24 hours to change it again.  The reasoning is as follows:  active directory stores the last 12 passwords that you have used and will not let you reuse one of them.  If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.

 

It would be great if there really would be a consensus on password change policies.  And right after that, we can tackle world peace…

 

  --Bret

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:

 

Hi All

 

   In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often. 

 

   In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was  "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change!  So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.  


 

-- Ravi

CIO & Associate Dean for WellesleyX, Wellesley College

Google Voice - 860-631-RAVI

 

But notice, acceptable password entropy protects against guessing, whereas forced changes due to ageing protects against undetected compromise (regardless of whether the account was compromised by password guessing or some other way).  You cannot logically trade them off against each other.  You can, however,  somewhat trade off password entropy with account lockout policies, since they both deal with guessing attacks.  I do agree you should keep the big picture in mind, including both security and the user convenience.

 

In the particular case of password aging, I don’t believe there is a true “best” practice.  There is substantial disagreement about how much security is truly enhanced, and how much users are truly inconvenienced. 

 

There is quite a bit more agreement about password entropy.  The issue there is that most password rules don’t truly enforce as much randomness as the calculators envision, and the password attackers know this.  If you are forced to include a digit, you will almost always do a simple substitution (l -> 1 or o->0 or e->3) or put a digit at the end.  This does increase entropy, but not nearly as much as if you randomly choose each character from the full spectrum of allowed characters.  (So those few that put the digit in an unexpected place are way more secure.)

 

Bob

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ann West
Sent: Monday, August 19, 2013 12:07 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I think the key to a workable policy is to keep the big picture of what you're trying to accomplish and the end user in mind. 

 

For passwords, you may find value in the idea of achieving a certain level of entropy, a mathematical calculation of a password's strength, and looking at the variety of components that goes into doing that. For instance, the US government (a long time ago) published  a password entropy tool where one can play a bit with the components and look how, say, a very long passphrase can reduce the requirement, say, for frequently changing passwords or lockouts. It a mix of requirements and as long as the right entropy target is met, it's good enough for the Feds. 

 

You can find two of these entropy calculators, the older US Government version and a new one developed by U Wisconsin Madison, at

https://spaces.internet2.edu/display/InCAssurance/Password+Entropy+Calculators. Both check against 800-63-2 NIST level 1 and 2 entropy requirements. 

 

BTW, if you're interested in using a best-practice doc to guide the design of your credentialing systems, check out the InCommon Assurance Profiles. A NIST-comparable standard that was written for higher ed and approved by the US Gov for federating with their agencies, you can find it at assurance.incommon.org. 

 

Best,

Ann

 

Ann West

Assistant Director,

InCommon Assurance and Community

Internet2 based at Michigan Tech

office: +1.906.487.1726 

 

From: <Carroll>, Tim <Carrolltd@ROANESTATE.EDU>
Reply-To: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, August 15, 2013 2:03 PM
To: "CIO@LISTSERV.EDUCAUSE.EDU" <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Strong Password Management Policy

 

Thank you to all who responded to this thread.  They are thoughtful and helpful in my quest to develop a policy.

 

Regards,

 

Tim

Tim Carroll

Assistant Vice President for Information Technology and CIO

Roane State Community College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Susan Wheeler
Sent: Thursday, August 15, 2013 11:50 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

Interesting thread.

 

Why have passwords changed on a regular or irregular interval?

 

I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.

 

By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.

 

Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.

 

Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you  have to watch for.

 

 

Susan Wheeler, Ed. D.

Director, Technology Services

Illinois Central College

One College Drive

East Peoria, IL 61635-0001

 

swheeler@icc.edu

Office Phone: 309-694-8855

 

Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!

 

Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

And Brett….I really want World Peace….. Best, Rob

 

Dr. Robert Paterson

Vice President – Information Technology, Planning and Research

Molloy College

Rockville Centre, NY

New Phone Numbers for Molloy College
Main number:   516-323-3000

Direct number:  516-323-4848

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of BRET INGERMAN
Sent: Wednesday, August 14, 2013 8:18 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I have greatly enjoyed this thread.  Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State.  They have made it clear that we must expire our passwords.  Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days.  Even more interesting:  once someone changes their password, they must wait 24 hours to change it again.  The reasoning is as follows:  active directory stores the last 12 passwords that you have used and will not let you reuse one of them.  If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.

 

It would be great if there really would be a consensus on password change policies.  And right after that, we can tackle world peace…

 

  --Bret

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:

 

Hi All

 

   In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often. 

 

   In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was  "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change!  So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.  


 

-- Ravi

CIO & Associate Dean for WellesleyX, Wellesley College

Google Voice - 860-631-RAVI

 

The NIST SP-800 series is a useful resource, but the NIST entropy calculations, and Shannon entropy in general, aren’t accurate measures of the difficulty of guessing a password.  Naïve entropy calculations are too generous because users don’t pick random passwords.  The NIST calculations are more conservative, but they don’t hold up.  This paper by Weir, Aggarwal, Collins and Stern highlights some of the problems: http://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf

 

What’s dangerous about the NIST entropy measurement is that it overestimates the security of certain passwords that may be cracked quickly by the attacker, leaving the defender with a false sense of security, while drastically underestimating the security of many passwords that for all intents and purposes are resistant to an online attack.

 

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ann West
Sent: Monday, August 19, 2013 12:07 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I think the key to a workable policy is to keep the big picture of what you're trying to accomplish and the end user in mind. 

 

For passwords, you may find value in the idea of achieving a certain level of entropy, a mathematical calculation of a password's strength, and looking at the variety of components that goes into doing that. For instance, the US government (a long time ago) published  a password entropy tool where one can play a bit with the components and look how, say, a very long passphrase can reduce the requirement, say, for frequently changing passwords or lockouts. It a mix of requirements and as long as the right entropy target is met, it's good enough for the Feds. 

 

You can find two of these entropy calculators, the older US Government version and a new one developed by U Wisconsin Madison, at

https://spaces.internet2.edu/display/InCAssurance/Password+Entropy+Calculators. Both check against 800-63-2 NIST level 1 and 2 entropy requirements. 

 

BTW, if you're interested in using a best-practice doc to guide the design of your credentialing systems, check out the InCommon Assurance Profiles. A NIST-comparable standard that was written for higher ed and approved by the US Gov for federating with their agencies, you can find it at assurance.incommon.org. 

 

Best,

Ann

 

Ann West

Assistant Director,

InCommon Assurance and Community

Internet2 based at Michigan Tech

office: +1.906.487.1726 

 

From: <Carroll>, Tim <Carrolltd@ROANESTATE.EDU>
Reply-To: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, August 15, 2013 2:03 PM
To: "CIO@LISTSERV.EDUCAUSE.EDU" <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Strong Password Management Policy

 

Thank you to all who responded to this thread.  They are thoughtful and helpful in my quest to develop a policy.

 

Regards,

 

Tim

Tim Carroll

Assistant Vice President for Information Technology and CIO

Roane State Community College

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Susan Wheeler
Sent: Thursday, August 15, 2013 11:50 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

Interesting thread.

 

Why have passwords changed on a regular or irregular interval?

 

I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.

 

By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.

 

Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.

 

Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you  have to watch for.

 

 

Susan Wheeler, Ed. D.

Director, Technology Services

Illinois Central College

One College Drive

East Peoria, IL 61635-0001

 

swheeler@icc.edu

Office Phone: 309-694-8855

 

Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!

 

Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

And Brett….I really want World Peace….. Best, Rob

 

Dr. Robert Paterson

Vice President – Information Technology, Planning and Research

Molloy College

Rockville Centre, NY

New Phone Numbers for Molloy College
Main number:   516-323-3000

Direct number:  516-323-4848

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of BRET INGERMAN
Sent: Wednesday, August 14, 2013 8:18 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Strong Password Management Policy

 

I have greatly enjoyed this thread.  Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State.  They have made it clear that we must expire our passwords.  Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days.  Even more interesting:  once someone changes their password, they must wait 24 hours to change it again.  The reasoning is as follows:  active directory stores the last 12 passwords that you have used and will not let you reuse one of them.  If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.

 

It would be great if there really would be a consensus on password change policies.  And right after that, we can tackle world peace…

 

  --Bret

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Ingerman
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL  32304-2895

ingermab@tcc.fl.edu
850-201-6082 (phone)
850-201-8593 (fax)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:

 

Hi All

 

   In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often. 

 

   In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was  "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change!  So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.  


 

-- Ravi

CIO & Associate Dean for WellesleyX, Wellesley College

Google Voice - 860-631-RAVI

 

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.