Educause Security Discussion: Re: Password Complexity and Aging

[Geoff Nathan <geoffnathan () WAYNE EDU>]

I'll second Roger and Valdis' comments about the religious nature of this debate. I tried to educate our auditors and 
failed, and indeed they had expiry of ancient account passwords in mind as a driving force. So far there haven't been 
many loud squawks, but we're only into our second 180 days. What has been troublesome is the fact that we're going to 
have to limit the use of non-alphanumeric characters because of issues with Oracle, so we're actually dumbing down our 
requirements.
We've also had a fight about whether the actual complexity restrictions should be on a public page or not (some folks 
seem to believe it's a security risk). As long as we're going with 'industry standard' (minimum eight, at least one 
cap, at least one non-letter, not the same as the last one, 180 days) we're not giving out 'the keys to the kingdom', I 
think we're not usefully hiding anything, but it looks like I'm losing that fight too.

Geoffrey S. Nathan
Faculty Liaison, C&IT,
Policy Coordinator
and Associate Professor, Linguistics Program
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)