Password Management Policy (archived)

Password Management Policy (archived)

September 17, 2013

September 16, 2013

Password Management Policy (click here to review policy)

Comments due October 7, 2013

3 thoughts on “Password Management Policy (archived)

  1. Marc Becker says:

    Could someone please provide me with documented evidence of the importance of frequent password changes to network security? Each time I am required to change my password I end up using a weaker and weaker password that I can remember. Yes, I can use a random password generator to create a VERY strong password, but there is NO WAY I could remember that password, especially since I have to change it every 180 days. I COULD create a strong password that I can remember, but I am not creative enough to create a similarly memorable password every 180 days. Would it not be better for network security to retain the same strong password rather than to create a series of increasingly easier to guess, either by human or machine, passwords?

  2. Curtis Kelsey says:

    There are a number of supporting reasons for the changes. #1- Cryptography strength in computers is based on computational complexity. As hardware gets better, crypto strength decreases in relation to key length. To counter this key lengths are increased periodically. If you don’t change your password and make it more complex at a certain point it will become trivial to crack your password. #2- The longer your password remains the same, the more time someone has to use password cracking techniques on it. If we don’t change our passwords periodically it would simply be a matter of time before our passwords were compromised.

    On your defense, your argument is founded on the basis that a stronger password could withstand a longer period of time under attack before becoming compromised. Using weaker passwords shortens the time required to break it. This is where the debate on administrative policies come in to play. How strong is the algorithm campus is using? How long are the keys? What are the password requirements? How long can the minimum password requirements withstand attack now? How long can the minimum withstand attack 6 months or 1 year from now? And, of course, how counterproductive is the policy to user’s workflow? Sometimes there must be a concession of security to allow for productivity.

    To find some arguments for strong passwords you may want to look at: http://www.seas.ucla.edu/security/passwords.html

    For arguments supporting the changing of passwords check out:
    http://answers.stanford.edu/solution/why-should-i-change-my-password

    In MIT’s knowledgebase they claim to have 1.5 million attempts a day on passwords.
    http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords

  3. Michaela says:

    I don’t log on often since graduating so I don’t usually know what password I set (it doesn’t help that it requires such complicated passwords) but every 170-something days it sends me relentless e-mails requesting I change the password. Which then wastes a fair amount of my time. Stop making me change my password. I’m ok with the risk.

Comments are closed.