At one point I shared your concern regarding password changes. The thought process goes like this: If I have a password, and someone begins to crack the password, I am only giving them a small area of time before the password changes, and they have to start over. This is a valid statement if computers are the only concern (i.e. computer accounts in Active Directory). However, if people are involved then you have another set of problems. The biggest problem is that most people have is that they cannot remember their password if they have to change it often. If you have a password set to expire every 30 days, then people will then write down the password (because they cannot remember the password). You have then changed the password from "something you know" to "something you have". Since people tend to place important items near where they use them this becomes a problem. Instead, I tend to ask users to use "pass phrases" instead of "passwords". The password complexity increases with length, and thus you can increase period between password changes without problems regarding brute force password guessing. Pass phrases are usually 1 sentence in length and include spaces and punctuation. These are easy to remember, and difficult to crack. The only difficulty is that MSU Net passwords cannot use the space character (yet). For reference see http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths /default.aspx. They have some different examples, but the idea is the same. FYI, our passwords expire every 180 days. +-------------------------------------------+ | Michael Surato | | Resource Center for Persons | | with Disabilities | | Michigan State University | | 120 Bessey Hall | | East Lansing, MI 48824 | | Voice: (517) 353-9643 Fax: (517) 432-3191 | +-------------------------------------------+ > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Bryan Murphy > Sent: Tuesday, May 16, 2006 11:47 AM > To: [log in to unmask] > Subject: [MSUNAG] Password Expiration Policies > > Hi Guys, > > I am about to implement a password policy that calls for > password expiration every 30 days. I have run my policy by a > small group of faculty and found that this (as I suspected) > is the only point of contention in the policy. > > From a security stand point this is absolutely essential for > a number of reasons, and I have explained these reasons but > still get guff. > > For some reason stating "department x has this same policy" > or "x % of the departments on campus already do this" works > far better than logical explanations... So I was wondering if > anyone in NAG'Land would mind sharing what they are doing for > departmental password policies. > > Thank you. > > ,--------------------------------------------+---------------- > -------------, > | Bryan Murphy, CISSP | > [log in to unmask] | > | Information Technology Coordinator | > 517.432.5939 w | > | MSU Plant Research Lab & Plant Biology | > 517.355.1926 fax | > | 132a Plant Biology Bldg. | > http://infotech.prl.msu.edu | > '--------------------------------------------+---------------- > -------------' >