Main Nav

This has gone around a few times in the past but I am looking for fresh results. What is your stance on student passwords? Do you make them change their password every X number of days? Complexity rules? Etc. Thanks.

Comments

We'd really like to refresh this discussion as well.....15 characters - no complexity - change every 128 days - last 5 passwords are retained.... What are others doing? Is everyone else still at 6-8 characters? Thanks.... ________________________________________
Here's our password policy for all users:

At least 8 characters
Must have capital letter
Must have # or symbol
Can't use last 20 passwords
Expires every 180 days
Students can unlock and reset password by themselves using our password reset utility (PeoplePassword)
Employees will soon also be enrolled in self password reset system

Students are on Gmail, with separate passwords meeting the criteria that Google enforces.


Brady Gallese ‘07
Technical Services Helpdesk Engineer
Office of Information Technology
Susquehanna University
514 University Avenue
Selinsgrove, PA 17870-1164
570.372.4470
gallese@susqu.edu


Hi, Here is our password page min 8, max 64, include at least 1 number or special character, punctuation or space We encourage the use of a pass phrase Joel --On Tuesday, December 06, 2011 9:51 PM -0700 "SCHALIP, MICHAEL" wrote: > We'd really like to refresh this discussion as well.....15 characters - no complexity - change every 128 days - last 5 passwords are retained.... > > What are others doing? Is everyone else still at 6-8 characters? > > Thanks.... > > > > ________________________________________ >
We increased our requirement to a minimum of 9 characters (etc), and we check against common passwords from dictionaries and password lists. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Director of Client Services (Acting) & Information Security Officer Pima Community College Office: 520-206-4873 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 12/7/11 4:24 AM, "Joel Rosenblatt" wrote: >Hi, > >Here is our password page > >s> > >min 8, max 64, include at least 1 number or special character, >punctuation or space > >We encourage the use of a pass phrase > >Joel > >--On Tuesday, December 06, 2011 9:51 PM -0700 "SCHALIP, MICHAEL" > wrote: > >> We'd really like to refresh this discussion as well.....15 characters - >>no complexity - change every 128 days - last 5 passwords are retained.... >> >> What are others doing? Is everyone else still at 6-8 characters? >> >> Thanks.... >> >> >> >> ________________________________________ >>
Minimum of 8 Complexity Every 90 days Can't use last 3
Message from jack.reardon@worcester.edu

Minimum of 8
Complexity
Every 90 days
Can't use last 10
30 minute lockout after 5 consecutive login failures
Users can reset using our password reset page
Users are snail mailed original password. 

Jack Reardon
Associate Director, Infrastructure Services
Worcester State University


Message from r-safian@northwestern.edu

We treat everyone the same...annual password change with complexity rules. http://www.it.northwestern.edu/netid/password.html >
Message from r-safian@northwestern.edu

We modified our password rules to more accurately reflect today's threats. We had an opportunity to do so, because we finally retired the last system that forced us to keep the 8 character maximum. The process went well, and the community seems to like the new system. >
We have increased complexity rules and done away with timed expiration. -Brian
Do you run into any problems with students and their smart phones, wireless, etc.? How do you communicate this policy to your student population. ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Roger A Safian [r-safian@NORTHWESTERN.EDU] Sent: Wednesday, December 07, 2011 10:10 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Student Passwords We treat everyone the same...annual password change with complexity rules. http://www.it.northwestern.edu/netid/password.html >
What's your minimum pwd length?
It seems to me this topic would make a great wiki document. http://www.educause.edu/wiki/Main+Page David Greenberg >
Message from r-safian@northwestern.edu

No problems so far, the policy is pretty clear, and when they change their password they essentially see the web page I sent. >
Message from r-safian@northwestern.edu

8...Sorry, I probably should have included the link. http://www.it.northwestern.edu/netid/password.html >
HI David We do currently have a page on "Password Policies" in the EDUCAUSE Resource Center. http://www.educause.edu/Resources/Browse/Password%20Policies/33329 But I would be happy to work with the group to make the page more robust and student password practices centered. Please let me know if you have any questions, thank you. Colleen Keller Electronic Resources Librarian EDUCAUSE - Uncommon Thinking for the Common Good 4772 Walnut Street, Suite 206 Boulder, CO 80301-2538 Phone (303) 939-0309
We did a complete password reset for all faculty, staff, and students (~200K accounts, ~100k people actual). We now have a 365 day password lifetime. See http://www.vt.edu/password for info on our password project.
We're going through the first phase of passwords renewals now. Seems to be fairly smooth.

-Randy Marchany
VA Tech IT Security Office & Lab

Message from alexander.s@mccd.edu

Our requirements: 8 characters minimum 1 upper case character minimum 1 lower case minimum 1 number minimum 1 special character minimum Expires after 180 days (this was temporarily disabled) Students can use a self-service password reset that requires the answers to five security questions that they choose. In practice, I don't think this helps. We manually do a few thousand password resets every year because students forget their passwords and their security questions (we only have about 10k students). I think our requirements are overly picky; we'd be better off requiring longer passwords with less complexity per character so that we could encourage students to use passphrases. Many of our students only use their accounts a few times a semester and this makes it easy for them to forget their passwords. Also, many of our students have a hard time picking a password that will meet the complexity requirements and this has led to our helpdesk staff giving advice like "Put a name a year and a star, for example: Name1928*" which completely defeats the purpose of requiring complex passwords in the first place. The whole process is currently a big security hole. We have to process so many resets that it would be impossible for us to carefully scrutinize every request for a password reset or to make everyone show up in person with ID. We switched from our previous requirements, which were much more lax, to these with no notice and very little discussion--it went from idea to implementation while I was on vacation last year... It hasn't worked out very well for us. For anyone considering a change, please initiate some local discussion before you do anything. Consider what you're trying to accomplish and how the proposed changes will actually accomplish it. Don't rush into something without considering the impact of the changes and preparing to handle the support/education that comes with it. Best regards, Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s@mccd.edu
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.