Main Nav

Hi Everyone

We are in the process of developing a campus password policy that would apply to accounts in our Google Apps domain.

As Google doesn't allow the the enforcement of a policy beyond specifying the minimum & maximum number of characters, I'm wondering what other institutions have done to enforce a policy that includes complexity and change frequency requirements?

Thanks in advance for any suggestions and recommendations.

Regards,


--
Jesse Thomas
Network/Systems Administrator,
Hamilton College ITS
315-859-4211

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

I suspect most folks are using shibboleth, LDAP, or some other single sign on method for Google Apps login and do not rely on Google to store credentials.  However, since mobile access does require a Google password, we synchronize passwords from Active Directory so they still must meet our complexity requirements.

Brad

--
Brad Christ
Chief Information Officer
Southern Oregon University
christb@sou.edu
v. 541-552-6451


Hi Jesse

At our University we use Apps with single sign-on. Therefore, the password policy is applied to the users institution-wide password, which subsequently is used for Google Apps :-) Our policy does include complexity and 6 month change requirements.

Regards

Samantha Garrett
Business Analyst (Google Product Specialist)
eSolutions | Monash University | +61 3 990 24286


Log service request: http://servicedeskonline.monash.edu
IT Service Desk: +61 3 990 51777

Follow the Monash Google Apps team on Google+!



On 30 January 2013 08:26, Jesse Thomas <jthomas@hamilton.edu> wrote:
Hi Everyone

We are in the process of developing a campus password policy that would apply to accounts in our Google Apps domain.

As Google doesn't allow the the enforcement of a policy beyond specifying the minimum & maximum number of characters, I'm wondering what other institutions have done to enforce a policy that includes complexity and change frequency requirements?

Thanks in advance for any suggestions and recommendations.

Regards,


--
Jesse Thomas
Network/Systems Administrator,
Hamilton College ITS
315-859-4211

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.
My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

Hi Everyone

Thanks very much for the responses - for those using SSO, can I ask what application you are using? We are looking for a web-based system that can handle password policy enforcement, password resets with challenge/response questions, and integration with AD/Google at a minimum (integration with other systems, would be a bonus).

Thanks again,


--
Jesse


On Jan 29, 2013, at 5:30 PM, "Meier, Tina" <tina.meier@OKSTATE.EDU> wrote:

Hello
 
We do the same thing – point Google Apps to our internal password application with the SSO set up.
 
Thanks
Tina Meier
IT Director
Oklahoma State University System
 
From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:GOOGLEAPPS@LISTSERV.EDUCAUSE.EDUOn Behalf Of Charlie Reitsma
Sent: Tuesday, January 29, 2013 3:58 PM
To: GOOGLEAPPS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [GOOGLEAPPS] Google Apps Password Policy
 
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or emailhelpdesk@okstate.edu.
We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.

My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

Message from wgthom@gmail.com

Hi Everyone

Thanks very much for the responses - for those using SSO, can I ask what application you are using? We are looking for a web-based system that can handle password policy enforcement, password resets with challenge/response questions, and integration with AD/Google at a minimum (integration with other systems, would be a bonus).

Thanks again,


--
Jesse


On Jan 29, 2013, at 5:30 PM, "Meier, Tina" <tina.meier@OKSTATE.EDU> wrote:

Hello
 
We do the same thing – point Google Apps to our internal password application with the SSO set up.
 
Thanks
Tina Meier
IT Director
Oklahoma State University System
 
From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:GOOGLEAPPS@LISTSERV.EDUCAUSE.EDUOn Behalf Of Charlie Reitsma
Sent: Tuesday, January 29, 2013 3:58 PM
To: GOOGLEAPPS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [GOOGLEAPPS] Google Apps Password Policy
 
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or emailhelpdesk@okstate.edu.
We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.

My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

You're really looking at two pieces here: single-sign-on and identity and access management.

For web single-sign-on, two of the most common standards in use are CAS and shibboleth.  I'll put it a plug for shibboleth and for joining InCommon: http://www.incommon.org/  CAS and shibboleth fit alongside your enterprise directory, they do not replace it.  For example, our shibboleth identity provider is connected to our Active Directory domain. 

For identity and access management, there are many commerical solutions including Microsoft ForeFront Identity Manager, NetIQ Identity Manager, Sailpoint, etc..  There are also open source solutions, like Syncope or OpenIAM. There is an almost overwhelming amount of information out there on IAM/IDM.

Brad

--
Brad Christ
Chief Information Officer
Southern Oregon University
christb@sou.edu
v. 541-552-6451


Message from wgthom@gmail.com

Message from sfs@umn.edu

We also use Shibboleth SSO and redirect password updates to our local password update web page.  Our Google passwords are set separately by users only if they need to use IMAP clients and such -- we require that they be different than their main "enterprise" password for security reasons.

Hi Everyone

Thanks very much for the responses - for those using SSO, can I ask what application you are using? We are looking for a web-based system that can handle password policy enforcement, password resets with challenge/response questions, and integration with AD/Google at a minimum (integration with other systems, would be a bonus).

Thanks again,


--
Jesse


On Jan 29, 2013, at 5:30 PM, "Meier, Tina" <tina.meier@OKSTATE.EDU> wrote:

Hello
 
We do the same thing – point Google Apps to our internal password application with the SSO set up.
 
Thanks
Tina Meier
IT Director
Oklahoma State University System
 
From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:GOOGLEAPPS@LISTSERV.EDUCAUSE.EDUOn Behalf Of Charlie Reitsma
Sent: Tuesday, January 29, 2013 3:58 PM
To: GOOGLEAPPS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [GOOGLEAPPS] Google Apps Password Policy
 
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or emailhelpdesk@okstate.edu.
We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.

My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

You're really looking at two pieces here: single-sign-on and identity and access management.

For web single-sign-on, two of the most common standards in use are CAS and shibboleth.  I'll put it a plug for shibboleth and for joining InCommon: http://www.incommon.org/  CAS and shibboleth fit alongside your enterprise directory, they do not replace it.  For example, our shibboleth identity provider is connected to our Active Directory domain. 

For identity and access management, there are many commerical solutions including Microsoft ForeFront Identity Manager, NetIQ Identity Manager, Sailpoint, etc..  There are also open source solutions, like Syncope or OpenIAM. There is an almost overwhelming amount of information out there on IAM/IDM.

Brad

--
Brad Christ
Chief Information Officer
Southern Oregon University
christb@sou.edu
v. 541-552-6451


Message from wgthom@gmail.com

Message from sfs@umn.edu

We also use Shibboleth SSO and redirect password updates to our local password update web page.  Our Google passwords are set separately by users only if they need to use IMAP clients and such -- we require that they be different than their main "enterprise" password for security reasons.

Hi Everyone

Thanks very much for the responses - for those using SSO, can I ask what application you are using? We are looking for a web-based system that can handle password policy enforcement, password resets with challenge/response questions, and integration with AD/Google at a minimum (integration with other systems, would be a bonus).

Thanks again,


--
Jesse


On Jan 29, 2013, at 5:30 PM, "Meier, Tina" <tina.meier@OKSTATE.EDU> wrote:

Hello
 
We do the same thing – point Google Apps to our internal password application with the SSO set up.
 
Thanks
Tina Meier
IT Director
Oklahoma State University System
 
From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:GOOGLEAPPS@LISTSERV.EDUCAUSE.EDUOn Behalf Of Charlie Reitsma
Sent: Tuesday, January 29, 2013 3:58 PM
To: GOOGLEAPPS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [GOOGLEAPPS] Google Apps Password Policy
 
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or emailhelpdesk@okstate.edu.
We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.

My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

You're really looking at two pieces here: single-sign-on and identity and access management.

For web single-sign-on, two of the most common standards in use are CAS and shibboleth.  I'll put it a plug for shibboleth and for joining InCommon: http://www.incommon.org/  CAS and shibboleth fit alongside your enterprise directory, they do not replace it.  For example, our shibboleth identity provider is connected to our Active Directory domain. 

For identity and access management, there are many commerical solutions including Microsoft ForeFront Identity Manager, NetIQ Identity Manager, Sailpoint, etc..  There are also open source solutions, like Syncope or OpenIAM. There is an almost overwhelming amount of information out there on IAM/IDM.

Brad

--
Brad Christ
Chief Information Officer
Southern Oregon University
christb@sou.edu
v. 541-552-6451


Message from wgthom@gmail.com

Message from sfs@umn.edu

We also use Shibboleth SSO and redirect password updates to our local password update web page.  Our Google passwords are set separately by users only if they need to use IMAP clients and such -- we require that they be different than their main "enterprise" password for security reasons.

Hi Everyone

Thanks very much for the responses - for those using SSO, can I ask what application you are using? We are looking for a web-based system that can handle password policy enforcement, password resets with challenge/response questions, and integration with AD/Google at a minimum (integration with other systems, would be a bonus).

Thanks again,


--
Jesse


On Jan 29, 2013, at 5:30 PM, "Meier, Tina" <tina.meier@OKSTATE.EDU> wrote:

Hello
 
We do the same thing – point Google Apps to our internal password application with the SSO set up.
 
Thanks
Tina Meier
IT Director
Oklahoma State University System
 
From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:GOOGLEAPPS@LISTSERV.EDUCAUSE.EDUOn Behalf Of Charlie Reitsma
Sent: Tuesday, January 29, 2013 3:58 PM
To: GOOGLEAPPS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [GOOGLEAPPS] Google Apps Password Policy
 
Password Alert! This message may contain a request for your password. NEVER SEND OR RESPOND TO E-MAIL REQUESTS FOR YOUR PASSWORD. For questions about this alert, please contact the IT HelpDesk at 405-744-4357 or emailhelpdesk@okstate.edu.
We point Google Apps to our change password page as part of the SSO setup. That page sets the Google Apps password as well.

My daughter's school uses SSO, does not set the Google Apps password, and requires 2-step verification for IMAP/mobile clients.

You're really looking at two pieces here: single-sign-on and identity and access management.

For web single-sign-on, two of the most common standards in use are CAS and shibboleth.  I'll put it a plug for shibboleth and for joining InCommon: http://www.incommon.org/  CAS and shibboleth fit alongside your enterprise directory, they do not replace it.  For example, our shibboleth identity provider is connected to our Active Directory domain. 

For identity and access management, there are many commerical solutions including Microsoft ForeFront Identity Manager, NetIQ Identity Manager, Sailpoint, etc..  There are also open source solutions, like Syncope or OpenIAM. There is an almost overwhelming amount of information out there on IAM/IDM.

Brad

--
Brad Christ
Chief Information Officer
Southern Oregon University
christb@sou.edu
v. 541-552-6451


Message from wgthom@gmail.com

Message from sfs@umn.edu

We also use Shibboleth SSO and redirect password updates to our local password update web page.  Our Google passwords are set separately by users only if they need to use IMAP clients and such -- we require that they be different than their main "enterprise" password for security reasons.

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.