December 15, 2008
These summarize various questions Case users have asked about password change provisions of the University Password Policy.
Q: Why are passwords important to Case users?
A: In an open campus IT environment, authentication of users is the primary means to grant or deny access to online resources. Case uses passwords as a cost-effective means to protect data from unauthorized access.
The value and sensitivity of the data we manage have increased, and therefore our collective responsibility to protect this data has increased. In the past, the university used the network ID (half of the user account credential) as an email address (e.g. email@example.com), and these are readily available for anybody with a modicum of search engine experience. Since that information is already publicly available, it is doubly important that password be handled with increased vigilance.
The highest risk we have of stolen passwords is from our wireless environment. Changing your password at regular intervals helps limit the risk of someone obtaining and/or guessing your password through a variety of attack methods. It also limits the amount of time a compromised password can be used. A password change policy also protects against passwords cached in browsers, leading to disclosure via shared machines.
The policy mandates an annual password change, but we recommend a higher frequency of change for employees or faculty whose work involves access to higher-sensitivity (Tier III) information.
Q: Why do I have to change my password at all? I mean, even my bank doesn't make me change my password.
A: Because your Case Password grants faculty, students, and some staff access to key IT infrastructure, such as the Student Information System, password changes have been implemented on an annual basis. Case implemented password complexity controls in 2005, and is now adding the annual password change requirement as a risk mitigation for theft or sharing of passwords which will lead to disclosure of sensitive information. In the past, this was not the case for faculty users, who previously had no access to student information online in this fashion.
Financial institutions drive security controls based on the threats they experience, and won't drive password changes to their customers because a compromised account will only affect that one customer. You can bet your bailout package that the bank employees, who have a greater impact on the overall business, have stringent access and password controls. While there can be much debate about password controls, information management and security standards bodies state password complexity and regular change intervals as best practice (see NIST Special Publication 800-12, chapter 16).
Q: If I have to change my password, I'll make it simple and write it down. Won't that increase the likelihood of it being stolen in some other way?
A: We all agree that Case is a highly selective academic environment. Without submitting all faculty, students, and staff to an IQ test, we can be confident that that Case users can easily memorize a new password, once per year.
When we surveyed other universities, noting we were coming from a 'no change' background, we found a wide range of access-control stringency in their policies, varying from requiring password change every 90 days to every 180 days (see below).
The bottom line in the Acceptable Use Policy is that users are held accountable for what is done with their passwords.
Q: That email notification about changing my password, is that for real?
A: The first time around, users will get a 60-day notification before their password is set to expire. We get many phish messages in higher education, so you should check with the Case Help Desk (http://help.case.edu) to be certain. You can tell the change notice from a phishing message apart from this alert because ours doesn't tell you to do anything. If users ignore the notice, that's okay too. The password will just expire when its date rolls over.
Q: Where are we going next with passwords?
A: We are experimenting with a 2-factor authentication system that will reduce our access-control and user authentication dependency on passwords. These technologies are becoming more affordable as they mature.
Q: Who else, academically, has a password change policy?
A: Here is a list of some universities we surveyed in 2008. Some have a password change policy, some only have guidelines or suggested changes. These are listed in terms of "more stringent, equally stringent, less stringent" for means of comparison.
Carnegie Mellon University is using a 90-day change cycle.
State University of New York (SUNY) has a 90 day maximum age.
Columbia College of Missouri is using a 90-day change cycle.
The University of Notre Dame is using a 180-day change cycle.
Yale changes them every year.
Brown University only recommends 180-day password changes, but mandates them for other user groups (e.g. administrators).
The Ohio State University does not enforce global password changes, but they have a 2-factor authentication implementation which changes passwords for those users every 60 seconds.
Duke University does not enforce password changes, however their medical school is segmented from the university as a whole and enforces HIPAA like controls across the board.
Dartmouth uses smart card tokens (a form of multifactor authentication), and not passwords. These devices have digital certificates which are resistant to many password threats.
There are a number of other universities working on a similar policy, they just aren't as far along as we are.
More questions, send them to ciso [at] case [dot] edu.
Posted by Thomas Siu at 11:57 AM