Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Password Management for Students
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Mon, 13 Oct 2008 08:32:08 -0400

I was hoping someone could lend me some assistance.  We are trying to
make some changes to our password policy for our students and we were
hoping to find out what other institutions are doing.  So here are our

How did you decide on the policy?

We do not enforce any password restrictions on students.  Our password policy varies depending on the type of data an 
individual has access to.  If a student were also a member of staff and had access to an application that stored or 
processed sensitive data, then certain password restrictions would be imposed (e.g. 90 day password changes, password 
strength enforcement, etc.).  We felt this was a good balance given the inconvenience to users and the lack of convincing 
evidence on either side of the argument that changing passwords provides value.  It also gets at what we're really 
trying to protect.

How are the students resetting the password once it expires?

Anyone on campus who wishes to reset their password can do so via the Help Center or through our portal.  The portal is 
leveraging functionality built into our identity management solution.

Are you notifying your students when their password is
expiring via an email and is this process automated?

There is an automated email that goes out to a user when his or her password is about to expire.  We also leverage 
click through warning messages when a user authenticates to certain systems.

Hope this is helpful!


Doug Markiewicz
Information Security Office
Carnegie Mellon University

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]