Educause Security Discussion
mailing list archives
Re: Password Management for Students
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Mon, 13 Oct 2008 08:32:08 -0400
I was hoping someone could lend me some assistance. We are trying to
make some changes to our password policy for our students and we were
hoping to find out what other institutions are doing. So here are our
How did you decide on the policy?
We do not enforce any password restrictions on students. Our password policy varies depending on the type of data an
individual has access to. If a student were also a member of staff and had access to an application that stored or
processed sensitive data, then certain password restrictions would be imposed (e.g. 90 day password changes, password
strength enforcement, etc.). We felt this was a good balance given the inconvenience to users and the lack of convincing
evidence on either side of the argument that changing passwords provides value. It also gets at what we're really
trying to protect.
How are the students resetting the password once it expires?
Anyone on campus who wishes to reset their password can do so via the Help Center or through our portal. The portal is
leveraging functionality built into our identity management solution.
Are you notifying your students when their password is
expiring via an email and is this process automated?
There is an automated email that goes out to a user when his or her password is about to expire. We also leverage
click through warning messages when a user authenticates to certain systems.
Hope this is helpful!
Information Security Office
Carnegie Mellon University