October 28, 2008
As Cyber Security Awareness Month winds to a close, Case announces the new University Password Policy. The new policy applies more stringent security controls for passwords based on information sensitivity of IT systems accesed by Case users.
The implementation of the new Student Information System (SIS), while making a great leap forward in terms of replacing the SSN as an student identifier, has changed the risk due to userid (Case Network ID) and passwords (also called 'credentials'). A much broader impact may be experienced to the SIS if user credentials are shared or compromised.
The new policy consolidates password complexity improvements implemented in early 2006 with additional controls, including a maximum password age. Users are now required to change their password at least annually. The new policy is applicable to all faculty, staff, students, and affiliates, but does not apply to alumni accounts. The technical implementation of the policy implement a password age counter, and an email notification process which begins 30 days prior to password expiration. If a user does not change the password by the expiration date, the password expires, but accounts remain active. The user can use the account again after changing the password.
More guidance and help with management of passwords can be found at the ITS Passwords page, http://www.case.edu/its/password
Frequently Asked Questions:
Frequently Asked Questions:
Q: What risk is the password policy addressing?
A: Case Network Passwords are the primary authentication method for users to access IT systems in the conduct of University business. The impact of password theft and sharing after May 2008 has a greater impact on the protection of sensitive data. The goal is to reduce the probability of compromised accounts being used to access University IT systems, in particular the Student Information System. The implementation of this policy includes measurement password ages and instances of user account compromise to make this risk acceptable.
Q: How did the password age get determined?
A: Having no password age was deemed an unacceptable risk to the university's information. The ITSPAC Security and Policy Subcommittee evaluated various standards, and surveyed similar institutions for their policies for passwords. The majority of the 79 institutions responding to our survey who were changing passwords, were changing them once per semester or trimester, generally every 180 days. Case has data on password ages, and we concluded that the University will find value in an annual password change as a starting point. The committee discussions concluded that the majority of Case users were ready to adapt to an annual password change.
Q: Is password age a "for real" security standard?
A: Ask any CPA and they will tell you about Generally Accepted Accounting Principles. Like accounting, information security is a constantly changing field, and standard practices exist as a baselined. In a similar vein, the University has created a benchmark study of our security posture against the published Generally Accepted System Security Principles by NIST (see paragraph 3.11.3). The university now has a standard and a means to address password security via Case Network ID:
- controls by information sensitivity
- password complexity
- password age (minimum and maximum)
- password history
Q: Will phishing be prevented by this policy?
A: No, if a user is tricked into giving their Case Network ID and password to an attacker, they can use your account, "...disguised as you." If you get phished, you need to change your password immediately. The implementation of password change tools will enable the Case user community to know how deal with these changes. The recommended password change interval is 180 days, but general users are only required to change annually.
Q: What if I don't change my password?
A: If your password is older than one year (e.g. you last changed it in 2006), it will expire on February 12, 2008. The ITS password tools will send you an email message with a 30-day warning. If you ignore the alerts, your password will expire, and you'll need to change it before you will be able to login again.
Posted by Thomas Siu at 08:33 PM