Main Nav

Message from cruch@fsmail.bradley.edu

At Bradley, we use the PCI requirements to define how often we require password changes.  In the PCI requirements it says:
8.5.9 Change user passwords at least every 90 days.
The last discussion we had here about password change frequency a number of schools indicated they had longer password life than these 90 days.  For those of you with longer password life, can you tell me how you handle the PCI requirement?  For example, do you have different requirements for PCI 'people' than for others?

Thanks in advance,
Chuck

-- 
***************************************************
J. C. "Chuck" Ruch
Associate Provost for IRT/CIO
Bradley University
Office (309) 677-3100
Cell (309) 370-7104, Fax - (309) 677-3092
cruch@bradley.edu






********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

You may want to check out the thread “Password Policies” from last month:

 

http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind1209&L=CIO

 

The discussion was about password expiration, but it wasn’t PCI-specific.  These comments stand out:

 

Chris Boniforti:

 

“@Lynn University we decided to do the password policy by groups and depending on what type of access these groups have.  For instance, any staff/faculty with access to financials, IT and other deemed sensitive information or access are in the 90 day group (also satisfied our financial auditors), faculty are in the every semester group or 180 days group and some few individuals are in the 360 day group.  This has worked fairly well for us.”     Rich Kogut:   “When I was at Georgetown and then at UC Merced, we went with no expiration (but stringent standards, password locking after failed attempts, etc.). I had an interesting fight with what was then Price Waterhouse auditors at the time at Georgetown who were pushing back against the policy. I showed them a research article from Gartner questioning the  wisdom of requiring periodic password changes, citing anecdotal evidence of folks putting their recently changed passwords on sticky notes on their monitors, etc., and challenged them to find a single piece of research that supported any value in changing passwords.
After many months, they failed to do so. They did find a paragraph somewhere, that if I remember correctly, said that computer users benefiting from federal grants needed to follow the NIST guidelines, and those guidelines do require periodic password changes (but still without any real basis for it). So the irony was that the auditors, who were looking at administrative system security, pretty much only came up with a requirement (but no other justification) that researchers change their passwords periodically. Good luck with that.”  

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

 

PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually? 

Thanks!

Mark

______________________________________________
Mark Staples
Vice President & Chief Information Officer
Wentworth Institute of Technology
Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115
Office Phone: 617-989-4592 | Mobile: 617-543-4184
email: staplesm@wit.edu | Twitter: markstaples_cio
______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

I had advocated not expiring at all, in general.  But I would absolutely make exceptions for special accounts, either due to legal/audit requirements, or because some accounts are just too powerful.  For example, we protect our sysadmin accounts with SecuriID, which effectively changes the "password" every minute.  Exceptions for PCI seem reasonable to me.

Password aging and password complexity defend against *different* attacks.  You cannot fully trade one off against the other.  If you increase the complexity (to defend against guessing attacks), the password can still be compromised by social engineering or web malware.  Aging, if properly done, can defend somewhat against these two as well.   You absolutely need a reasonably complex password, but you need other defenses in addition; aging may or may not be a good choice in your envionment.

Bob Goldstein



On 10/23/2012 01:57 PM, Staples, Mark wrote:
PCI requirements are also 6-8 characters, which is low. Several years ago, I spoke with a DoD representative and they determined that a more complex password that is changed annually is more secure than a simpler password changed more often. People have a tendency to write down their password when the requirements to change it are more frequent. Also, some systems are still struggling with the special characters in the password.

So, as a follow-up, what about an 8-12 character requirement changed annually? 

Thanks!

Mark

______________________________________________
Mark Staples
Vice President & Chief Information Officer
Wentworth Institute of Technology
Division of Technology Services

Williston Hall | 550 Huntington Avenue | Boston, Ma 02115
Office Phone: 617-989-4592 | Mobile: 617-543-4184
email: staplesm@wit.edu | Twitter: markstaples_cio
______________________________________________

"The conventional view serves to protect us from the painful job of thinking." -John Kenneth Galbraith

Message from cruch@fsmail.bradley.edu

To clarify: I have read recent posts.  I'm specifically looking fro someone who has addressed the PCI requirement that passwords be changed every 90 days but has a longer than 90 day password life for your school.  

Do you treat the PCI group with separate password life requirements?
Chuck

-- 
***************************************************
J. C. "Chuck" Ruch
Associate Provost for IRT/CIO
Bradley University
Office (309) 677-3100
Cell (309) 370-7104, Fax - (309) 677-3092
cruch@bradley.edu