MSU Listserv


MSUNAG Archives

MSUNAG Archives


MSUNAG@LIST.MSU.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV at MSU

LISTSERV at MSU

MSUNAG Home

MSUNAG Home

MSUNAG  May 2006

MSUNAG May 2006

Subject:

Re: Password Expiration Policies

From:

Bryan Murphy <[log in to unmask]>

Reply-To:

Bryan Murphy <[log in to unmask]>

Date:

Tue, 16 May 2006 13:04:26 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (120 lines)

Thank you to all who have replied thus far.

This logic is correct.  If an attacker manages to compromise an account
undetected and the pw never expires, they have free reign forever.

I have previously read most of the "security myth" documents that people
have linked too and generally disagree with the points made in them.

I am all to aware of the human factor when it comes to authentication so I
crafted my policy accordingly.  I do not disallow writing passwords on
post-its, but instead ask that they keep the post-it in a purse or wallet.

And also, having read this one for the first time (
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/def
ault.aspx), I disagree with most every point made in it.  :)

Essentially what this discussion comes down to is a difference between
system controls and user education/policy enforcement.  If both are in
place, things should be smooth, but one without the other will result in an
administration nightmare.

I'm thinking I may adjust the expiry time (a number of respondents say that
they keep it around 45 days) however I believe most of these arguments
against expiring all together are flawed and I will continue to abide by the
CISSP training and NSA best practice docs.

On an unrelated note... I get asked this a lot. :)  The support system that
I use at http://infotech.prl.msu.edu is Kayako eSupport (
http://kayako.com/esupport.php).  It is very versatile and a purchased edu
license is $250 and well worth the cost.  It also has an e-mail parser to
generate tickets based on emails sent to a support address.

Thanks for the info and keep it coming. :)

,--------------------------------------------+-----------------------------,
| Bryan Murphy, CISSP                        | [log in to unmask]  |
| Information Technology Coordinator         |       517.432.5939 w        |
| MSU Plant Research Lab & Plant Biology     |      517.355.1926 fax       |
| 132a Plant Biology Bldg.                   | http://infotech.prl.msu.edu |
'--------------------------------------------+-----------------------------'

-----------[ 5/16/06 12:13 PM [log in to unmask] ]--------------

> At one point I shared your concern regarding password changes. The
> thought process goes like this: If I have a password, and someone begins
> to crack the password, I am only giving them a small area of time before
> the password changes, and they have to start over. This is a valid
> statement if computers are the only concern (i.e. computer accounts in
> Active Directory). However, if people are involved then you have another
> set of problems. The biggest problem is that most people have is that
> they cannot remember their password if they have to change it often. If
> you have a password set to expire every 30 days, then people will then
> write down the password (because they cannot remember the password). You
> have then changed the password from "something you know" to "something
> you have". Since people tend to place important items near where they
> use them this becomes a problem.
> 
> Instead, I tend to ask users to use "pass phrases" instead of
> "passwords". The password complexity increases with length, and thus you
> can increase period between password changes without problems regarding
> brute force password guessing. Pass phrases are usually 1 sentence in
> length and include spaces and punctuation. These are easy to remember,
> and difficult to crack. The only difficulty is that MSU Net passwords
> cannot use the space character (yet). For reference see
> http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths
> /default.aspx. They have some different examples, but the idea is the
> same.
> 
> FYI, our passwords expire every 180 days.
> 
> +-------------------------------------------+
> |            Michael Surato                 |
> |      Resource Center for Persons          |
> |           with Disabilities               |
> |      Michigan State University            |
> |            120 Bessey Hall                |
> |        East Lansing, MI 48824             |
> | Voice: (517) 353-9643 Fax: (517) 432-3191 |
> +-------------------------------------------+
>    
> 
>> -----Original Message-----
>> From: MSU Network Administrators Group
>> [mailto:[log in to unmask]] On Behalf Of Bryan Murphy
>> Sent: Tuesday, May 16, 2006 11:47 AM
>> To: [log in to unmask]
>> Subject: [MSUNAG] Password Expiration Policies
>> 
>> Hi Guys,
>> 
>> I am about to implement a password policy that calls for
>> password expiration every 30 days.  I have run my policy by a
>> small group of faculty and found that this (as I suspected)
>> is the only point of contention in the policy.
>> 
>> From a security stand point this is absolutely essential for
>> a number of reasons, and I have explained these reasons but
>> still get guff.
>> 
>> For some reason stating "department x has this same policy"
>> or "x % of the departments on campus already do this" works
>> far better than logical explanations... So I was wondering if
>> anyone in NAG'Land would mind sharing what they are doing for
>> departmental password policies.
>> 
>> Thank you.
>> 
>> ,--------------------------------------------+----------------
>> -------------,
>> | Bryan Murphy, CISSP                        |
>> [log in to unmask]  |
>> | Information Technology Coordinator         |
>> 517.432.5939 w        |
>> | MSU Plant Research Lab & Plant Biology     |
>> 517.355.1926 fax       |
>> | 132a Plant Biology Bldg.                   |
>> http://infotech.prl.msu.edu |
>> '--------------------------------------------+----------------
>> -------------'
>> 

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

December 2023
June 2023
May 2022
April 2022
March 2022
February 2022
December 2021
January 2019
August 2018
June 2018
May 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002
December 2001
November 2001
October 2001

ATOM RSS1 RSS2



LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager