 |
 |
On Tuesday 16 May 2006 11:46, Bryan Murphy wrote: > Hi Guys, > > I am about to implement a password policy that calls for password > expiration every 30 days. I have run my policy by a small group of faculty > and found that this (as I suspected) is the only point of contention in the > policy. > > From a security stand point this is absolutely essential for a number of > reasons, and I have explained these reasons but still get guff. > > For some reason stating "department x has this same policy" or "x % of the > departments on campus already do this" works far better than logical > explanations... So I was wondering if anyone in NAG'Land would mind sharing > what they are doing for departmental password policies. > > Thank you. Brian, After dealing with end users and passwords for about 25 years now, in my experience I will say that a 30 day expiration is awful. Why? People tend to want to change their passwords approximately once every Never, so getting them to pick secure passwords and have them in their heads is crucial.. Make people change passwords often and they'll 1) change to a new password, 2) change right back to the older password. Any systems that caches pw's is a security horror in its own right, so that shouldn't be used to try to prevent password swapping. People who need to change passwords often all too frequently put them 1) on postits on their monitors, 2) little pieces of paper in makeup cases, 3) in PDA's, 4) as files on their laptops 5) on dashboard visors in their cars. I have seen numerous examples of each. If people must write them down, JUST the passwords on a paper in the sleeve of a credit card protector is OK. Having just the password written down without anything else is surprisingly easy to associate with whatever, in the cases I have seen. Of course a security breech where you have good reason to believe your passwords have been exposed is one of those things were you have to beat your users into shape but hopefully thats very rare. Passwords that look like noise are the best. My most successfull trick has been to get people to take the first letter (or last) from a phrase in a song or poem and use that. Thus things like ibaatwassmfyaoastfims become easy for people to remember. I haven't pushed on this yet, but given the above algorithm perhaps I could pursuade folks to change pw's every six months that way. Passwords are the great weak link in security. --STeve Andre Political Science