Main Nav

Message from shawt@d-e.org

Colleagues,

We have recently encountered a breach of password security where a teacher's password was compromised and used (for quite some time) to circumvent our web filter.

This has prompted some conversation about what we can do at the system level to ensure that passwords are as secure as they can reasonably be without creating undue burdens on users (a tricky balance always).

Some of the things that have been suggested include:

Forcing periodic password changes
De-coupling web filter passwords from network passwords (we currently have a single password for everything)
better monitoring of web filter logs to identify spikes in use sooner 

I'm wondering what others are doing in the way of best practices. I realize this is a pretty basic question, but I suspect that it's one that we should re-visit periodically.

Trevor

--
******************************
Trevor Shaw
Director of Technology
Dwight-Englewood School
315 E. Palisade Ave
Englewood, NJ 07631
"Challenging Minds for a Changing World"
v 201.569.9500.3244
*******************************

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from ryan.young@mastersny.org

Trevor,

We have a multi layer security approach:

Passwords:
Expire every 180 days
Require 6 characters (1 character must be a number or symbol)

Teacher machines:
Machine auth w/ 802.1x into a different network that has lower levels of web filtering

Student machines:
Can only get on to the network with their username and password and they get dropped into a highly restricted vlan, if a faculty member username is used the student can not get on the network. This  has annoyed our teachers because they can't get their cell phones on the network but we are currently working on a work around for that. We filter the web by the subnet not by the username, we also have the students in a /22 network with 30 day lease times.

Nac:
We have a Nac that learns username/network/machine type so we have the ability to scroll thru the Nac and look at client history for use name logons as well as machine history.

I feel like with the right accounting tools and security measures these type of incidents can be monitored/seen/prevented


Best,

Ryan Young
Network / Systems Administrator
The Masters School
Dobbs Ferry, NY


From: Trevor Shaw <shawt@D-E.ORG>
Reply-To: <shawt@d-e.org>
Date: Tue, 6 Mar 2012 09:17:17 -0500
To: <ACCESS@LISTSERV.EDUCAUSE.EDU>
Subject: password security - best practices

Colleagues,

We have recently encountered a breach of password security where a teacher's password was compromised and used (for quite some time) to circumvent our web filter.

This has prompted some conversation about what we can do at the system level to ensure that passwords are as secure as they can reasonably be without creating undue burdens on users (a tricky balance always).

Some of the things that have been suggested include:

Forcing periodic password changes
De-coupling web filter passwords from network passwords (we currently have a single password for everything)
better monitoring of web filter logs to identify spikes in use sooner 

I'm wondering what others are doing in the way of best practices. I realize this is a pretty basic question, but I suspect that it's one that we should re-visit periodically.

Trevor

--
******************************
Trevor Shaw
Director of Technology
Dwight-Englewood School
315 E. Palisade Ave
Englewood, NJ 07631
"Challenging Minds for a Changing World"
v 201.569.9500.3244
*******************************

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Hello Trevor,

 

Those are all good thoughts.

 

Finding a balance between security and usability is a challenge.

 

If you can get away with it, periodic password changes is a good first.  Then, think about the complexity – whether you include Upper case/lower case/numbers/symbols, and length (at least 6-8 characters).  The more complex, the harder it is for a user to remember, but harder for others to guess.

 

Single Sign-on is a good thing, so I would try to avoid sacrificing that.

 

You’ll put a lot of time and effort into monitoring logs, but that might be the compromise if your users insist on not changing the password policy.

 

Good Luck!

 

JP

 

JP Peters

Director, Information Technology

College of Sciences / COSIT

University of Central Florida

407-823-1209

jp@ucf.edu

http://www.cos.ucf.edu

 

 

Teaching people how to create strong passwords is just as important as the restrictions we place on the system. A LONGER password is more important than complexity—if you haven't seen it, xkcd has a comic about password entropy: https://xkcd.com/936/

Also, don't require password changes TOO frequently; if you do, people will tend towards weaker passwords or, if they have complication passwords with symbols and caps, they are more likely to write their password down on a post-is attached to their laptop, monitor, keyboard, etc...

The best passwords are long sentences, for example: Iwillneverforgetthispassword  is a GREAT password and is MUCH easier to remember than 6x%mY&

Jeremy
------
Jeremy Angoff 
as Manager, OunceIT LLC. 

phone: 617.600.4608 
email: jeremy@OunceIT.com
twitter: @MyTakeOnIt

Jeremy,

Clearly you type very rapidly. It would take me a couple of minutes to log in with a password like that :-).

Joel

-- 
Joel Backon
Director of Academic Technology / History
Choate Rosemary Hall
333 Christian St.
Wallingford, CT  06492
203-697-2514




hahahah!!!

Actually, once you've typed it a few times, it becomes muscle memory. It's surprisingly easy.

Or maybe we haven't been doing enough Mavis Beacon?! ;)

Jeremy
------
Jeremy Angoff 
as Manager, OunceIT LLC. 

phone: 617.600.4608 
email: jeremy@OunceIT.com
twitter: @MyTakeOnIt

Message from tphelan@peddie.org

Finding the right balance of security vs. time spent/convenience is a no-win proposition for us. Any security is too much until we get hacked, and then it is not enough. We only went to a policy of forcing a password change a couple of years ago and this one very modest change (every 180 days) generated more complaints than anything else we have done. That said, after a month or so when it became clear that we were not going to change the policy the complaints stopped.

We require 10 character complex passwords that must change every 180 days. I think anything less is the worst of both worlds as it both forces the inconvenience of changing a password and is not secure as smaller passwords are ripe targets for readily available password cracking programs. One problem we had when we made the change is that if a password expires when the user is off campus (e.g. over a break, the summer, etc.) it can result in a catch-22 when the user comes back to campus with his laptop due to our NAC requiring that the device be registered using their password before they can gain access to a domain controller. But, since their password is expired, they can't register and thus can't gain access to a domain controller to allow updating their password. We considered several solutions, but in the end opted not to change our network and rather to create a VB script that for 2 weeks prior to a break pops up to annoy them to change their password if their password is due to expire over a break.

In general, even from purely a security perspective, I think it is a better approach to stick with one password as the more passwords users have the more likely they will do things that compromise their password security. Also, enforcing unique passwords could be very difficult from a technical perspective since most passwords are stored as hashed values making it impossible for you to know a user's password (e.g. their Windows password) and thus ensure uniqueness.

While there really is nothing we can do on the tech side to spot if a student gets a teacher's passwords and does something on the teacher's computer, our Campus Manager NAC can be useful for spotting if a student is using a teachers password on their own computer because we keep an eye on which machines are on the faculty VLAN. If we see a student's machine on the faculty VLAN we investigate.

Lastly, while closely monitoring logs and investigating irregularities is ideal, it is rarely practical. Another example of balancing time spent on security issues vs. all the other things we have to do.  

Tom Phelan
Peddie School


Message from charlesthompson@taftschool.org

<?xml version="1.0" encoding="ISO-8859-1"?>
Hey Trevor,

As you know, I just started at Taft, and the rules here were so stringent, I thought I was working at NASA. Passwords expired every 30 days. Complexity included capitals and numerical requirements (kept this). Windows enforced 12 unique passwords before being able to reuse one. This was both for students and faculty/staff, and users were having to come to the IT office to reset their passwords constantly. Having computers on both platforms with our SSO to the web filtering didn't help either.

After some wrestling, we settled on not requiring our students change their passwords (which we will revisit this spring), but having our faculty and staff forced to change their passwords three times per year. Instead of having their passwords expire on their own, we warn users that the password change is coming, and then force all of them to change it on the same day. We normally force the change a few days after a break (September, January, April) so that it doesn't usually catch them by surprise when they are just getting up in front of their class and needing to figure out a new password. We used this system at St. George's and I think the teachers appreciated the warning / hand-holding. With not too much more work, it gets the job done and was a nice compromise.

I do think having the single password is worth preserving. You'll then have less password change overhead when one password is easily forced to change, and the others needing users to figure out how to change. Simple is good.

Good luck

Charles
shawt@d-e.org writes:
Colleagues,


We have recently encountered a breach of password security where a teacher's password was compromised and used (for quite some time) to circumvent our web filter.


This has prompted some conversation about what we can do at the system level to ensure that passwords are as secure as they can reasonably be without creating undue burdens on users (a tricky balance always).


Some of the things that have been suggested include:


Forcing periodic password changes
De-coupling web filter passwords from network passwords (we currently have a single password for everything)
better monitoring of web filter logs to identify spikes in use sooner 


I'm wondering what others are doing in the way of best practices. I realize this is a pretty basic question, but I suspect that it's one that we should re-visit periodically.


Trevor


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from phoopes@standrews-de.org

I know this may sound antiquated, but we do not require password changes at all and our only requirement is that they are 5 characters long. Now... while most of you smack your foreheads, let me explain: While its possible that someone could spend hours and hours brute-forcing a login attempt, I know that our password database (Open Directory) is locked down and secure. If someone chose an easy password (I had someone choose "eagles", ugh.) then frankly they get what they deserve. Now, I realize there may be some liability in this, but we STRESS heavily to our faculty that they are responsible for making sure they have good passwords and if they want to risk using an easy one then they will bear the burden fully. So far, no problems. It's not that we're laissez-faire, I'm just picking my battles. There's no way our faculty/staff or students would get behind a 30-day or 3-times/year change setup, and that's not where the effort should be. Train them to pick good strong passwords in the beginning and they'll be fine. My $.02. ===================== Peter Hoopes Director of Technology St. Andrew's School phoopes@standrews-de.org ===================== ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from charlesthompson@taftschool.org

<?xml version="1.0" encoding="ISO-8859-1"?>
Our policy was close to yours, then we had our own little Oceans Eleven incident. We had a group of kids devise a plan to steal their teachers' passwords by hovering over them when they type them -- gaining a letter or two each time. Their goal was to use them to access their teachers' network space so they can see their final exams. The new protocol was our reaction to that event. It seemed reasonable though. A few may complain, but most understand the reasoning. An ounce of prevention...

Charles


The EDUCAUSE ACCESS Constituent Group Listserv <ACCESS@LISTSERV.EDUCAUSE.EDU> writes:
I know this may sound antiquated, but we do not require password changes
at all and our only requirement is that they are 5 characters long.

Now... while most of you smack your foreheads, let me explain:

While its possible that someone could spend hours and hours brute-forcing
a login attempt, I know that our password database (Open Directory) is
locked down and secure. If someone chose an easy password (I had someone
choose "eagles", ugh.) then frankly they get what they deserve. Now, I
realize there may be some liability in this, but we STRESS heavily to our
faculty that they are responsible for making sure they have good passwords
and if they want to risk using an easy one then they will bear the burden
fully.

So far, no problems. It's not that we're laissez-faire, I'm just picking
my battles. There's no way our faculty/staff or students would get behind
a 30-day or 3-times/year change setup, and that's not where the effort
should be. Train them to pick good strong passwords in the beginning and
they'll be fine.

My $.02.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Charles,

With everyone needing to change passwords on the same day, do you find that staff help each other out and that reduces IT support time?

What happens if someone is out on password change day?

Thanks,
Bill

Sent from a mobile device.

On Mar 6, 2012 2:17 PM, "Charles Thompson" <CharlesThompson@taftschool.org> wrote:
Hey Trevor,

As you know, I just started at Taft, and the rules here were so stringent, I thought I was working at NASA. Passwords expired every 30 days. Complexity included capitals and numerical requirements (kept this). Windows enforced 12 unique passwords before being able to reuse one. This was both for students and faculty/staff, and users were having to come to the IT office to reset their passwords constantly. Having computers on both platforms with our SSO to the web filtering didn't help either.

After some wrestling, we settled on not requiring our students change their passwords (which we will revisit this spring), but having our faculty and staff forced to change their passwords three times per year. Instead of having their passwords expire on their own, we warn users that the password change is coming, and then force all of them to change it on the same day. We normally force the change a few days after a break (September, January, April) so that it doesn't usually catch them by surprise when they are just getting up in front of their class and needing to figure out a new password. We used this system at St. George's and I think the teachers appreciated the warning / hand-holding. With not too much more work, it gets the job done and was a nice compromise.

I do think having the single password is worth preserving. You'll then have less password change overhead when one password is easily forced to change, and the others needing users to figure out how to change. Simple is good.

Good luck

Charles
shawt@d-e.org writes:
Colleagues,


We have recently encountered a breach of password security where a teacher's password was compromised and used (for quite some time) to circumvent our web filter.


This has prompted some conversation about what we can do at the system level to ensure that passwords are as secure as they can reasonably be without creating undue burdens on users (a tricky balance always).


Some of the things that have been suggested include:


Forcing periodic password changes
De-coupling web filter passwords from network passwords (we currently have a single password for everything)
better monitoring of web filter logs to identify spikes in use sooner 


I'm wondering what others are doing in the way of best practices. I realize this is a pretty basic question, but I suspect that it's one that we should re-visit periodically.


Trevor


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from elacroix@newhampton.org

<?xml version="1.0" encoding="UTF-8"?>
Good morning!

We make no claims to conform to best practices in this regard but I don't mind sharing what we do.

We require an eight-character password with at least one number or symbol. That password does not expire. It's possible to use it for as long as you're a member of the NHS community, or until the tech office finds reason to initiate a change.

Very few people have come to us asking for a change - but when they do, we change that password for them in AD, our mail system (one of our few systems not linked to AD) and our web site (which can be integrated with AD but isn't yet).

We haven't had many issues. In 2002 we had a student use a teacher's password to get into the faculty home folder on the file server. The student was putting his homework in the folder the teacher told him to use at the time that the teacher gave the student his password. And this was the computer teacher who gave out his password. (Fail! No longer working here!) At other times we've had students feel like their facebook accounts were getting hacked, so they wanted to change their NHS passwords. (For those students, there's a little bit of a disconnect there, thinking their NHS password got them into facebook.) Turns out that was in the day of FireSheep and the kids were on an open SSID. Other than those two examples I can't think of any major problems related to, or seemingly related to, passwords.

Tom mentioned picking battles... We do have so many more battles in 2012 than in 2000. We're using technology all the time. Changing passwords is like an unpleasant medical maintenance procedure that we prefer to not inflict on our patients until they feel symptomatic or they become hypochondriacs (and we have our share of those too). To continue the analogy, we just give them a good hearty lecture on diet and exercise when they first pick their password, which is likely destined to stay with them for a few years. We counsel them away from prepared foods like "soccer10" ("Let me guess what you play! And your jersey number!" ... "How did you know that? That's so creepy!") or what are obviously boyfriend or girlfriend names with ages.

Have a great day ~
__________________________________________________________
Eric LaCroix, Director of Technology, New Hampton School
70 Main Street * New Hampton, NH 03256
603-677-3450 phone & fax

P Please consider the environment before printing this email.

Trevor Shaw <shawt@D-E.ORG> writes:
Colleagues,


We have recently encountered a breach of password security where a teacher's password was compromised and used (for quite some time) to circumvent our web filter.


This has prompted some conversation about what we can do at the system level to ensure that passwords are as secure as they can reasonably be without creating undue burdens on users (a tricky balance always).


Some of the things that have been suggested include:


Forcing periodic password changes
De-coupling web filter passwords from network passwords (we currently have a single password for everything)
better monitoring of web filter logs to identify spikes in use sooner 


I'm wondering what others are doing in the way of best practices. I realize this is a pretty basic question, but I suspect that it's one that we should re-visit periodically.


Trevor


--
******************************
Trevor Shaw
Director of Technology
Dwight-Englewood School
315 E. Palisade Ave
Englewood, NJ 07631
"Challenging Minds for a Changing World"
v 201.569.9500.3244
*******************************


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.




GO BEYOND!
Founded in 1821, New Hampton School is a coeducational, independent, college preparatory boarding and day school for students in grades 9-12 and postgraduate.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from charlesthompson@taftschool.org

<?xml version="1.0" encoding="ISO-8859-1"?>
Hey Bill,

Really, there are so few problems reported because everyone knows about the change ahead of time. When users started up in the morning, they were prompted to change their password immediately. Our phones didn't ring very much. Maybe users were helping each other; maybe they got used to the fairly straightforward process. The only people who get into trouble were those who left their computers on and didn't restart. They are randomly prompted to reauthenticate when they are trying to access a network resource. That can draw phone calls, but we didn't see that many. If someone is absent that day, they are still prompted to change their password the next time they log in, because the change password bit would still be set on their AD account.

Like any new thing, the first time folks go through this, they may have some questions; after that though, it becomes really smooth. The more you can do to warn them before, like letting them know they have to restart their computers that day, the smoother it will go. This was really easy at SG where we had a single platform, which I think you do. We are about to institute this for the first time at dual-platform Taft. Having all the macs change passwords on our AD network may make life a little more challenging. We'll see how it goes.

In an environment where everyone has the same machine though, the process is straightforward enough that it becomes a non-issue.

Good luck with whatever you all decide.

Charles


The EDUCAUSE ACCESS Constituent Group Listserv <ACCESS@LISTSERV.EDUCAUSE.EDU> writes:
Charles,

With everyone needing to change passwords on the same day, do you find that staff help each other out and that reduces IT support time?

What happens if someone is out on password change day?

Thanks,
Bill


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.