For security purposes, it would be nice for each organization to set a period of time for expiration of their passwords where a new password would need to be entered every 3-12 months, whatever the organization deems necessary by their policies.
9 comments
-
Brian Dunbar Argh. Why, Brian, why??!
-
Jeremiah Miller Does Populi currently have a password expiration policy? If so, what is it? If not, it needs to have one!
-
Brian Zylstra It currently doesn't! That's why it needs one!
-
Shane Flynn My experience with password expiration policies is that it ends up creating a less secure environment than a more secure one. As soon as a password has to be changed, many users will default to writing that password down on a sticky note in the drawer of their desk. This becomes a social hacker's playground. Especially if the entire organization does it on a set schedule. Once that reset hits, it's like sending up a flare telling everyone "Everyone changed their password, go look for sticky notes in offices!"
I like the current policy of forcing a very strong password and letting users maintain it long term.
If more security is required, I would vote for a hardware-based authenticator before a password expiration policy.
http://www.cryptosmith.com/sanity/expharmful.html
^^ Good article from 2002 on password expiration
-
Jeremiah Miller Good points about security, Share. However, I believe that each school should have the ability to pick their own policy based on their culture and users. Some schools are required to have password expiration policies, and others aren't. For example, our IT policies, especially those related to security and passwords, are scrutinized during our annual audits. One of the things they ask about are password complexity, and password expiration policies.
I agree that an improper expiration policy can lead to worse security, but I'm of the opinion that a judiciously chosen policy can help enhance security too.
-
Adam Sentz I agree with Shane. In my experience people tend to just reuse the same 2 passwords, just change one character in their password, or just reset it twice so they can change it back to the one they remember in order to circumvent the hassle imposed by a password expiration. We already require a password with a minimum of ten characters with at least one numeral, one uppercase letter, and one lowercase letter - my bank doesn't even make me use a password that strong.
-
Jeremiah Miller While I applaud Populi's strong password support, and I do agree somewhat with Shane, the main point is that schools need the freedom to choose what works for their culture, their IT policies and requirements, and their legal and regulatory obligations.
-
Joshua Penman We'd appreciate the ability to expire passwords too. It's the type of thing that our insurer is wanting us to ensure we have enabled on all our systems.
-
Adam Sentz @Joshua - We still believe this would not be in the best interest of improving Populi's security. We have implemented other (and we believe better) means of securing against the threats that mandatory, scheduled password resets supposedly address.
Perhaps you could send your insurer this case study written last year by the FTC's Chief Technologist, and ask them to reconsider their policy.