Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Strong Password Management Policy
Why have passwords changed on a regular or irregular interval?
I have observed at various colleges that supervisors sometimes have rights that their administrative assistants do not have. So what happens, the supervisor (against policy) will give their password to another person. If that person then leave that position, they still know the password even after they leave.
By requiring password changes, you at least eliminate these former employees from having access to supervisor accounts.
Believe me, it happens. The same thing with students…they may share passwords, if for nothing else but to allow a friend to log on to a networked computer and print on their account. This happens even when that person is no longer a student at the college.
Sometimes the biggest threats come from within your system, it’s not always the hacker from another state or country that you have to watch for.
Susan Wheeler, Ed. D.
Director, Technology Services
Illinois Central College
One College Drive
East Peoria, IL 61635-0001
Office Phone: 309-694-8855
Technology Services staff will never ask for your password in an email.
Don't ever email your password to anyone or share confidential information in emails!!
Confidentiality Notice: This electronic message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU]
On Behalf Of Robert Paterson
Sent: Wednesday, August 14, 2013 7:21 AM
Subject: Re: [CIO] Strong Password Management Policy
And Brett….I really want World Peace….. Best, Rob
Dr. Robert Paterson
Vice President – Information Technology, Planning and Research
Rockville Centre, NY
New Phone Numbers for Molloy College
Main number: 516-323-3000
Direct number: 516-323-4848
I have greatly enjoyed this thread. Having moved from a private to public institution I have had to address an increased level of accountability to auditors from our State. They have made it clear that we must expire our passwords. Our practice is that the password must be changed every 60 days for anyone with access to our ERP system and system administrators must change their password every 45 days. Even more interesting: once someone changes their password, they must wait 24 hours to change it again. The reasoning is as follows: active directory stores the last 12 passwords that you have used and will not let you reuse one of them. If we let people change their password without a delay, the auditors fear that people will quickly make 12 successive changes and then go back to their original password on the 13th change.
It would be great if there really would be a consensus on password change policies. And right after that, we can tackle world peace…
Vice President for Information Technology
Tallahassee Community College
444 Appleyard Drive
Tallahassee, FL 32304-2895
On Aug 13, 2013, at 9:48 PM, Ravi Ravishanker <gravishanker@WELLESLEY.EDU> wrote:
In a previous institution that I worked, several years ago we implemented password change once a year (I believe) mainly due to auditors requiring it and also Gramm-Leach-Bliley requiring it (this was controversial). When confronted by some of the faculty as to why exactly we were doing it, it was very hard to explain, except to point to the auditors and GLB. In two other institutions I worked since, I read some of the work that has been cited and consulted some of the CS faculty and has been a proponent of stronger passwords than requiring end users to change passwords often.
In both the cases, I have engaged in conversations with the auditors to explore why they recommend frequent password changes for end users. The answer was "to reduce exposure in case the account has been compromised". If this were the criteria, in the worst case, an account could be compromised until the next password change! So, I have been able to convince them that a strong password or a strong pass phrase provides much better protection than frequent password changes.
CIO & Associate Dean for WellesleyX, Wellesley College
Google Voice - 860-631-RAVI