Re: password length and required reset

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

Sorry, I didn't read your whole post.

One could definitely justify weaker authentication policies for self-service 
accounts but there are some caveats.

Some services can affect the institution and other constituents - for example 
compromised email accounts used for internal phishing.

Effects of compromised unstructured storage (e.g. Dropbox) can vary a lot. One 
doesn't know what kind of data is stored there or to who or what it pertains. 
Malware or illegal materials can be added. The storage may be shared with 
others, possibly some having higher privileges.

If the account credentials are valid for access to multiple services, 
assessing potential losses gets complicated.

I believe most banks refund money to individual account holders who have lost 
money due to fraud, even if the fraud was performed using the account holder's 
credentials. That affects the bottom line of the bank (and their other 
customers). Access to self-service direct deposit information is a similar 
situation.

It is a business decision. Keep customers happy, accept the security breaches, 
and absorb the losses (e.g. direct financial, incident monitoring and response 
costs, potential lateral movement) or increase security, decrease customer 
satisfaction, and possibly increase support costs.

Some customers may welcome the additional security depending on the service 
being protected. I believe it is important to at least provide an option for 
stronger account security should an individual desire it, even if business 
policies don't require it. That online bank account may have a policy saying 
the bank will refund money lost due to fraud but I'd rather not go through the 
experience or test the policy. How many policies also say the owner is 
responsible for any actions taken by the account?

Gary Flynn
Security Engineer
James Madison University


> -----Original Message-----
> From: Flynn, Gary - flynngn
> Sent: Monday, October 10, 2016 9:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: RE: password length and required reset
>
> Compromise of the accounts you mention primarily affect the data and
> services
> of the owner of the account. That is, they're self-service accounts.
>
> Compromise of a faculty or staff account would almost certainly provide
> unauthorized access to constituent data, institutional data, and/or the
> ability to affect constituent services.
>
> I would guess that the authentication policies for the employees of the
> organizations you listed are different than the policies that apply to their
> customers. At least I'd hope so. :)
>
> Gary Flynn
> Security Engineer
> James Madison University
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike
> > Cunningham
> > Sent: Monday, October 10, 2016 9:10 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] password length and required reset
> >
> > Thanks for the feedback.
> >
> > How do you counter the argument that no other online service that
> requires
> > passwords have any set time limit on a password, and they are sites with
> > much more sensitive information. Bank sites, credit card sites, amazon,
> > paypal, gmail, yahoo, Hotmail, outlook.com phone companies, Netflix, etc. 
> > I
> > can't think of any service that I have myself that requires me to change a
> > password on a regular basis and that is how students view us, as just
> > another
> > online service.  I am 100% in favor of employees needing to reset a
> password
> > since their access gives them access to other peoples data but for 
> > students
> > they only have access to their own data so password mismanagement only
> > puts their own data at risk, just like on any of those other services.
> >
> > Mike Cunningham
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel
> > Sent: Monday, October 10, 2016 8:42 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] password length and required reset
> >
> > You are correct in thinking that 12 characters will help.  If you run
> > passwords
> > through most any analyzer, that 12th character adds a tremendous amount
> > of time to the decryption process... but will not help if common phrases,
> > titles, and sequences are used.
> >
> > We recently moved all faculty, staff and service accounts to a 90-day
> > password reset cycle, with a history of 6.  We are considering a minimum
> > password age of 2 days, but have not implemented that change yet.  We
> > recommend the password to be a minimum of 8, but no longer than 13
> > characters (any longer and Office365 complains, at least as of August of
> > this
> > year) and cannot contain three consecutive characters of their username.
> It
> > also must have a capital letter and a number or symbol.
> >
> > It has taken a number of years to push this policy amid lots of grumbling
> > from
> > staff and faculty.  We got buy-in from administration by explaining our
> > reasons for implementing, we communicated the change effectively to the
> > community and so far, have not had significant backlash.  We considered
> > having two different policies for staff and faculty, but decided it was in
> > everyone's best interest to enforce the stricter policy (whether they
> > believed it or not).
> >
> > Students have all the same requirements except the max age for their
> > password is 180 days.  No issues there either, as this is explained at
> > orientation.  While it frustrates a tiny percentage, it is an acceptably 
> > low
> > percentage.
> >
> > The key is effective communication and simple explanation of the reasons
> > why this is important.
> >
> > Good luck with any changes you make.
> >
> > Dan
> >
> >
> > Daniel H. Boyd (94C)
> > Senior Network Architect
> > Network Operations
> > Information Security Advisory Group Chair Berry College
> > Phone: 706-236-1750
> > Fax:     706-238-5824
> >
> > There are two rules to follow with your account passwords:
> > 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
> > 2. If unsure, consult rule #1
> >
> >
> >
> >
> > -----Original Message-----
> > From: Mike Cunningham [mailto:mike.cunningham () PCT EDU]
> > Sent: Friday, October 07, 2016 3:29 PM
> > Subject: password length and required reset
> >
> > We current have a password length rule of 6 with a password expiration of
> > 180 days. We are considering changing that to a length of 12 with a
> > recommendation to use a pass phrase, and no expiration. Students can
> want
> > to can change their password daily or never. We believe the longer length
> > requirement will make the password so much stronger that the password
> > reset is no longer needed. This change is for students ONLY. Employees 
> > will
> > still have a password recent requirement.
> >
> > Thanks
> >
> >
> > Mike Cunningham
> > VP of Information Technology Services/CIO Pennsylvania College of
> > Technology

Attachment: smime.p7s
Description: