A forced password change every 90 days sounds very excessive, particularly if there are limits on reusing passwords. How about once every 6 months? A year? Or never? Never is what I would strongly prefer, but I understand concessions must be made.
posted by ThePinkSuperhero at 12:04 PM on December 17, 2008 [3 favorites]

This seems like overkill to me. Have you been having trouble with break-ins into student accounts? At the school I go to which is a large private university I just set the password once and never have had to change it again. They do require combinations of letters and numbers and the numbers can't all be one after the other. The letter combinations can't be common words and there's a minimum length requirement as well. All the rest just seems like a lot of hassle and would piss me off no end.
posted by peacheater at 12:06 PM on December 17, 2008

It is my opinion that forced password changes are just another form of security theater. I Actual password strength is much more important. Unfortunately I don't have any published studies to back my opinions up.
posted by zsazsa at 12:07 PM on December 17, 2008

One thing: While it sounds great to have to change your password often, it does actually have the opposite of the intended effect, which is to say, it encourages the use of weak, easy-to-remember passwords. So, for instance, if I have to keep changing my password, I'm not going to use "HURhwqref*1-241"; instead, I'm going to use "niceness", "niceness1" "niceness2", etc.

Not that it's a bad policy, but just know that changing your password often is a really big hassle.
posted by General Malaise at 12:08 PM on December 17, 2008 [4 favorites]

I think that this is overkill as well - numbers 2 and 4 would really irritate me and scare me away from using the college system. A college student has enough to worry about - they shouldn't have to carry around a written record of what their last twelve passwords were. I can imagine that faculty would be even more outspoken against this.
posted by bristolcat at 12:09 PM on December 17, 2008 [1 favorite]

The small liberal arts college I went to had something similar.

1) 8 characters. It needed some of them to be non letters.
2) Password changes every 9 months
3) No 3 day wait on passwords
4) I'm not sure how many old passwords the system remembered.

It was reasonable. They also had an explanation of how to make a memorable pass phrase rather than a password. I find a short sentence (with punctuation) easier to remember than a random series of characters.
posted by valadil at 12:10 PM on December 17, 2008

If I had to use a system that made me change my password every 90 days and wouldn't even let me re-use old passwords I'd just do everything possible to never log into that system. And every time I did need to log in, I would be using the "forgotten password" tool. You'll need one of those.

I can see only two reasons for having a policy like that: A) You don't want people using their college email b) You're getting kickbacks from Dell or Apple every time a student buys a computer so they can avoid using your annoying computer labs. I assume neither of these is the case, so I vote for the "Never" optiom that the ThePinkSuperhero suggested.
posted by If only I had a penguin... at 12:12 PM on December 17, 2008 [3 favorites]

Another vote for excessive. I'm also not sure how much good forced password changes do. If an account becomes compromised, no forced period of password change is going to help.

I'm not going to use "HURhwqref*1-241"; instead, I'm going to use "niceness", "niceness1" "niceness2", etc.

So true. We're undergoing a platform transition, and I need user password at times as the admin. Almost everyone used this name1, name2, etc system with forced password changes.
posted by jmd82 at 12:15 PM on December 17, 2008

I work at a small liberal arts college and we have a similar requirement. I think it's the same for both students and faculty/staff. Is this requirement just for students, or is it something that applies to all email users on that domain? In our case, it's also the same password used to access a lot of other systems that may contain more sensitive data.
posted by thejanna at 12:17 PM on December 17, 2008

1 is reasonable.
2 is unreasonable, and just asking people to write their passwords down.
3 and 4 are just to stop people trying to get around 2.

If you have any power over such things, a better policy would be:
1. Password must be at least 8 characters.
2. Password may not appear in the IT Department's Big List O' Common Passwords.
posted by Mike1024 at 12:18 PM on December 17, 2008 [1 favorite]

Point by point:

1) If this is their only requirement for passwords, then all the password changing in the world isn't going to save them. There should be requirements for password length, there should be requirements on mixing in different types of characters (alpha-numeric + symbols) and there should be checks against basic dictionary words.

2) This is a debatable point. I'm of the opinion (and I think a lot of other security people agree, though like zsazsa I don't have studies to back this up) that forced password changes encourage people to keep their passwords stored in insecure locations thus decreasing security overall. If you must use a system like this I would recommend using a password safe type program (I'm using KeyPass at the moment to keep track of everything) rather than just writing it down. Things like this exist for smart phones including iPhones and Blackberries.

3) This is just awful. If you know that your password has been compromised you need to be able to change it as soon as possible regardless of when you last changed it. I realize that they're doing this to force people to not just swap passwords back and forth, but the downside is too huge to be ignored.

4) If you take point 2 as an acceptable policy (which I don't), then this perfectly reasonable.

If they really want security they need to move away from passwords entirely and move towards public/private keys or tokens (like RSA) for authentication.
posted by NormieP at 12:21 PM on December 17, 2008

We have a similar policy at my law school, and I hate the forced password changes. I definitely think it leads to weaker passwords with a number that continues to get bigger. Security theatre.
posted by craven_morhead at 12:21 PM on December 17, 2008

Twelve passwords multiplied by ninety days per password is four years. So the policy essentially requires that students never re-use a password during their time at the college. Was this an intentional choice?
posted by Johnny Assay at 12:21 PM on December 17, 2008

I'm a grad student at a large state school. They require passwords to have at least one each of uppercase, lowercase and numerical characters, and force a change every 180 days. I don't remember off the top of my head how many previous passwords are remembered, but I know it's at least two. This seems reasonable to me, but I've seen some crazy policies in the wild at other institutions and businesses.
posted by Alterscape at 12:21 PM on December 17, 2008

"Appropriateness" in security depends on what you're trying to protect. What harm are you trying to avoid?

Next, you must be sure your policy doesn't defeat itself when it comes to the people you're inflicting it on. Your users are smarter than you are when it comes to circumventing your policies.

In your policies, making me change my password so often that I can't remember it will make me store it in a file or on a post-it stuck in plain view, or choosing a simple phrase that is distilled from my surroundings, like the Nth word of the school fight song or something. Make me set a good password, but don't make me think *you* are the harm/risk to avoid.

A good thing to ask is, "would you think this is onerous if we only doubled (or halved) policy constant X?" Like "why not force it every 45 days? is that too much?" If the answer is yes, then someone with half your tolerance (which is a lot of people) will do their best to subvert you.
posted by cmiller at 12:24 PM on December 17, 2008 [1 favorite]

ITS: "We have been asked by the College's auditor's to upgrade our current user account policy. We are complying with their recommendations. "

Didn't see this on preview, but FWIW, I partake in security audits from our overlords. While there's questions about "ample security" and "hardened passwords for sensitive data & accounts," and other security-related questions, I've never seen an explicit "Users change password every x months with complex security" from an audit. I might ask ITS or the overlords if the audit requires specific parameters. If not and it's just "upgrade security," I would try to go down the route that implementing these security requirements really can hinder security in the longrun (if you believe that to be the case).

Regarding point 3: The point of this is passwords are easiest to break right after they're changed (someone's overlooking your shoulder or you wright it down). By implementing the 3-day stipulation, you make the intruder more likely to leave that account alone because it can't be changed. This is why some places don't allow users to change passwords at all until the systems tell you to- so if a system is compromised, they can't change the password and lock everyone else out.
I'm not saying it's a legitimate argument, but that's the rationale I've always heard.
posted by jmd82 at 12:26 PM on December 17, 2008

jmd82 - Regarding point 3 - but if the password can't be changed wouldn't that mean an intruder is guaranteed free reign until someone actually realizes that there's been an intrusion. Part of the rational for more frequent changes is that if a password has been compromised and no one detects it, the intruder is automatically locked out at the next required change.
posted by NormieP at 12:31 PM on December 17, 2008

while I think you are being quite strict for a low-security environment I also think it's a good way to establish security-conscious thinking in your students. so go ahead, get them used to working with more than just one password all the time. the following is the only point I don't really get:

3) You must use a password for at least 3 days before it can be changed.

I don't see why you are mandating this particular point. it doesn't seem to enhance security (=the potential upside seems small) while it does have the ability to get in the way of your users (=the potential downside is a tiny bit bigger). I keep changing passwords whenever I think someone looked over my shoulder and would surely run into that particular hurdle quickly. or imagine one of the students set a password and upon trying it a couple times decided it was too difficult to remember and wanted to change it. you want to confront especially the less computer-literate with as little problems as possible. we all know they don't read manuals or even dialog boxes on screen half the time.

may I suggest an alternative rule?
3) passwords must contain at least one numeric character and may not be just a dictionary word followed by said number.
posted by krautland at 12:31 PM on December 17, 2008

I work in IT at a large technical school. Our policy is:
1) At least 8 characters.
2) All passwords must include at least one letter, one number and one special character.
3) Change it every 90 days.
4) You can't use the previous 4 passwords.

Of these, #1 and #2 are the ones that most effectively protect us. #3 is there to keep someone from having the time to crack passwords. We use salted hashes, so this is no doubt overkill, but there's probably someone on campus who doesn't. #4 is there to force users to have different passwords.

I don't understand the need for the 3 day limit, unless it's to prevent users from resetting their passwords 12 times to get around #4. That can be handled pretty effectively by limiting people to changing their password once every 5 minutes.

Your question about regarding breaches occurring isn't the right one. The question is how to prevent breaches. If a breach is public enough and personal information is compromised, people get fired, schools get sued, and lose status and possibly funding.

From my experience, fighting the auditors is a losing battle. You'll be better off spending your time teaching users how to make a strong memorable password and explaining the reasons for the policies.
posted by donpardo at 12:32 PM on December 17, 2008

Encourage the users to complain. They will anyway, since I've never seen a password policy that restrictive even in military installations and $3bil companies, but whatever. You're at a small liberal arts college, I'm sure the audit committee has their reasons.
posted by rhizome at 12:33 PM on December 17, 2008 [1 favorite]

I'm kind of a password Nazi, and I think forcing them to change their passwords every three months is way overboard. That's the sort of thing you do in security situations where you have a really serious interest in making sure that if someone does manage to get hold of a password, you limit the amount of time they have access to your system. As people have said already, in the case of a bunch of college freshmen, you're just encouraging easy-to-guess passwords that everyone writes down in obvious places.

I would advise a minimum of eight characters, requiring at least one letter and one number, and possibly at least one capital and one lowercase letter. That's really as far as you need to go in your situation, I'd say.
posted by EarBucket at 12:36 PM on December 17, 2008

What I've generally seen:

-At least 10 characters
-Must contain at least 2 numbers
-Password change every 2 years.
posted by dunkadunc at 12:40 PM on December 17, 2008 [1 favorite]

My workplace has an almost identical policy. I've encountered it on a few other systems I've had to log into over the past year. I think we'll see more of this, regardless of whether it's theater or not.

That said, it really hasn't been that hard to remember my new passwords and I wouldn't call it something that even registers as an annoyance for me. I don't have a great memory but I never have to write down the new one to remember it. Perhaps I've gotten used to keep tracking of more passwords as the world's become more and more internet-dependent.

And with that said, thanks for the suggestion, valadil, that sounds like a more fun system than mine.
posted by juliplease at 12:45 PM on December 17, 2008

Longer passwords, and passwords that require a mix of alpha & non-alphabetical characters, are adequately secure. Longer passwords are just as easy to remember, and still easy to type. 90 day password changes will generate lots of complaining, and lots of Helpdesk calls.
posted by theora55 at 12:45 PM on December 17, 2008 [2 favorites]

I have yet to hear one argument why changing your passwords even ever is more secure than not. I have about 4 passwords that are very strong that I can type very quickly without thinking about it. There is no way anybody's going to be able to watch me type them and know what keys I hit. If I had to remember a new password, I'd type much more slowly, which, to me, seems less secure.

A strong passwords doesn't stop being strong after even two years. And, if somebody really wants to break your password, it won't take that long if they're going to be successful at all.
posted by General Malaise at 12:51 PM on December 17, 2008

Back in a former life I used to work for a small liberals arts college at what was called the Student Computing Information Center— basically a help-desk. The oppressive password policy resulted in people just repeating the same short string two or three times, which is hardly an increase in security. And, of course, people would still write their passwords down or pick ones that were easy to guess.
The college has an all-important need to maintain the security of their network, because really horrible things can happen if they don't. Given how expensive liberal-arts colleges are already, you might want to suggest that they invest in some cheapo biometric password thingies and pass the costs on to the students.
posted by Electrius at 12:55 PM on December 17, 2008

I have not heard any reports of student account break-ins. What should I do to help convince them that they are indeed going overboard?

Back up your argument with additional sources. People like Bruce Schneier have written about these issues at length.

Consider using an IDS that quarantines and protects against password cracking and other foul play.

Base your argument on the philosophy that we are here to serve the student community. Repeat that over and over again.

I'm a UNIX admin and us types are notorious for making the digital life complex and cultish. I'm one of the few who believes strongly that security is the responsibility of the administrator and not the community.
posted by ezekieldas at 12:58 PM on December 17, 2008 [2 favorites]

I may be revealing some fundamental ignorance here, but doesn't the requirement that the password not be identical to the last N>1 require that someplace there is a list of the last N passwords, either in plaintext or one that can be deciphered, since the hash that is generated for /etc/shadow isn't unique for a given password?
posted by Westringia F. at 1:18 PM on December 17, 2008 [1 favorite]

My undergraduate school required a new password of X variables and of Y length every semester, and that you could not use the previous password again immediately. Essentially rotating a complex password every semester. The graduate school where I worked used essentially the same rules. Both institutions left themselves open to people guessing the passwords, but really students and even most staff didn't have access to anything important. The worst they could do was spam the email servers for an hour or so, or blow through searches on expensive reference libraries, etc. All of these things were easily noticed and stopped.

Also consider the rules for when an account gets locked out. During the first part of my undergraduate career faculty and student accounts got locked out after three attempted logins, and all account names were the same the person's email account. This lead to many many many days of students locking professors out of their accounts before lecture even started. This policy was eventually changed to something undergrads couldn't easily take advantage of, but not until several semesters were wasted dealing with petty fights between faculty and students.
posted by Science! at 1:42 PM on December 17, 2008

The emphasis here on "small liberal arts college" seems a red herring. People at small liberal arts colleges depend upon their computer network security just the same as at any educational, commercial, or governmental institution.
posted by gyusan at 1:44 PM on December 17, 2008

We have a similar policy at work. Almost everyone hates it. Here's the most common workaround people use:

write one's password on a piece of paper and tape it to one's keyboard/monitor.

The second most common is to work through the list of required password changes as fast as possible until the user can use "their" password again. Requiring three days between changes would drive my boss into a screaming rage. You can bet that your poor helpdesk people are going to be subject to hours of abuse because of this.

The rest of us use some sort of incrementing system: user bonehead with password bonehead1 through bonehead12, for example. The problem with this method is that these users often hit the account lock-out limit before they remember their password increment. I fail to see how this is more secure than the second option.

The moral of the story is this: users are going to find some way to make remembering their password as simple as possible. Fighting this shows a distinct lack of understanding of human psychology, and leads to users holding IT in contempt. If you want true security, use a two-factor system instead: RSA keys + password, for example.
posted by bonehead at 1:50 PM on December 17, 2008

eh, except for point 3, this has been the password rule at all the companies i've worked at in the past 8 years. very common. pointless, but common.

pointless because a) most people just wrote down their password on a sticky on their monitor since they couldn't remember the new one they just had to pick, b) did things like password1, password2, etc., c) could never remember their password ever so were constantly retreiving their lost password.

so, really, i understand your frustration, but it's really not something that's uncommon or worth getting your hackles (heckles?) up over.
posted by misanthropicsarah at 2:05 PM on December 17, 2008

This is the exact policy as I have at my workplace, which is a nonprofit membership organization and publisher with approximately 150 employees. This was the case even before this ultra-secure password permitted remote file server access.

I think it's overkill, but it's obviously in some manual of best practices somewhere.

The worst part is not being able to use any of the last 12 passwords. My general strategy for dealing with frequent password changes is to use a series of things in a particular order (names of seasons, references to movies/books and their sequels, characters in a movie/tv show by their age, colors by ROYGBIV, etc.) Harder to find a series of 13, though. If someone can agitate for a change to the policy, see if you can get them to limit the restriction to the last four passwords.
posted by desuetude at 2:13 PM on December 17, 2008

jmd82 - Regarding point 3 - but if the password can't be changed wouldn't that mean an intruder is guaranteed free reign until someone actually realizes that there's been an intrusion.

Look at the case in SF a few months ago- a sysadmin locked out everyone else because he changed the admin password. This is where the "can't change password" rationale comes from.
Regardless, I disagree with the policy.
posted by jmd82 at 2:22 PM on December 17, 2008

You must use a password for at least 3 days before it can be changed.

Yeah, as others have said this is actually a security hole--if you know your password has been compromised, you need to be able to change it ASAP. If the reason for this is simply to avoid the obvious workaround for #4, then why not make #4 "Cannot reuse a password that has been used within the past two years" rather than "cannot reuse the last twelve passwords?" (I have no idea if this is feasible from a technical standpoint.)
posted by DevilsAdvocate at 2:32 PM on December 17, 2008

I have a credit card that uses a policy sort of like this. Every single time that I log in to their web site, I have to use the "forgot password" process. Their policy for what is an "acceptable" password and username requires both to be in a different format from all the other ones I use. I can't even remember my username!

Not being able to reuse any of the last 12 means that people are going to forget, or else they will keep the passwords offline in places that are not secure: pieces of page, their web mail accounts, their phones, who knows where.

Also, is there something magical about having it be 8 characters long? Back in the 90s I was required to create 7-character passwords, and those have stuck with me. Obviously the more characters you add, the harder it is to crack, but it seems sort of arbitrary. If 8 is good, why not 9? 10? 12? 20?
posted by Robert Angelo at 3:25 PM on December 17, 2008

By the way, what you suggested (the OP) is pretty much exactly like what the federal government in the US uses. It's horribly annoying. I don't think a small liberal arts college needs quite that level of security, but I don't know.
posted by majikstreet at 4:24 PM on December 17, 2008

Here's what the Navy uses for password criteria.

Passwords must be changed every 60 days.
Passwords must be at least 15 characters long.
Passwords can only be changed once in a 24-hour period.
Passwords cannot contain English words of 3 or more letters.
Passwords cannot have consecutive identical characters.
New passwords must differ from the previous password by at least 4 characters.
Spaces are not allowed at the end of a password.

Passwords must have at least the following:
Two or more upper case letters
Two or more lower case letters
Two or more numeric digits
Two or more special characters.

In short, fuck you, Navy internet gods.
posted by squorch at 5:05 PM on December 17, 2008

FWIW, my place of employment, where I don't set the policy, has the same rules, but additionally requires that all passwords contain at least one uppercase character, one lowercase character and a number/symbol.
posted by Brian Puccio at 5:12 PM on December 17, 2008

Can you point to "best practices" elsewhere? MIT, with an IS&T department so paranoid about security that they built their own authentication system (which has subsequently been adopted by a zillion other places), has no mandatory password changes ever, and for that matter freely distributes the root password for their public machines. This is for general (student, faculty, staff) access to email, shared applications like Matlab, etc.

My understanding (woefully incomplete despite 15 years there) is that the security is instead based around limiting the damage a compromised password can do (eg, it potentially hurts the compromised user but nobody else) and being able to roll back any mayhem caused by a superuser run amok. The general theory was that students at MIT were going to hack into the machines anyway, which honestly is a good assumption anywhere.

Truly sensitive information (admissions info, security clearances, etc) is of course protected by a more-paranoid authentication system, but now all of a sudden we're talking about maybe 100 users out of 30,000, with this data kept on separate servers.
posted by range at 5:30 PM on December 17, 2008

Your password must be at least 8 characters

This is the only good requirement of the four.

Your password must be changed every 90 days

The faculty will kill you.

You must use a password for at least 3 days before it can be changed.

This makes no sense. What are you going to do with someone whose account is compromised within a day of changing their password?

You may not reuse the previous 12 passwords.

The faculty will kill you.
posted by oaf at 8:29 PM on December 17, 2008 [1 favorite]

The password complexity requirements are a good idea because they actually prevent a real-world attack, the 90-day change requirements are stupid and hostile to users and probably to security as well, since it encourages algorithmic passwords and writing passwords down in a convenient, easily-accessible location.

However, you're not going to convince IT of this. Their hands are apparently tied because of the "auditors," who are probably reading out of some book that just cribs from what other places do.

The best thing you can do is try to educate other users about why certain aspects of the policy are bad, and encourage them to make their case to IT, and more importantly to the college leadership (administrators, deans, whomever hired the auditors), and hopefully convince them. Arguing with the guy at the Helpdesk, or even his boss, isn't going to get you anywhere.

I've seen really smart people implement really boneheaded security policies. There's a sort of creeping groupthink that seems to overtake people when they deal with security issues. Rather than think clearly about what a good policy would be, they just look furitively at what everyone else seems to be doing, and then implement it unthinkingly. That's why you get places doing 90, 60, or even 30 (!) day forced password changes, even when there's no real reason to: they're doing it because they know other people do it, and therefore think it must be a Good Idea.

I'm pretty sure Bruce Schneier has written extensively on what makes good and bad password policies, but I can't turn up anything at the moment.
posted by Kadin2048 at 10:47 PM on December 17, 2008

You may not reuse the previous 12 passwords.

This is a terrible policy. Just terrible.

Rotating between a few different, common passwords is one thing. Asking people to remember new nonsensical alpha-numeric strings each at least 8 characters long every few months is going to force them to do one thing that will ultimately trump all your procedures. They will write them down.
posted by Civil_Disobedient at 2:46 AM on December 18, 2008 [1 favorite]

You might find this paper useful:The Memorability and Security of Passwords -- Some Empirical Results. It's from Ross Anderson, Professor of Security at the University of Cambridge Computer Laboratory, and has become a bit of a classic on this subject.
posted by tallus at 3:11 AM on December 18, 2008

Here are the policies for the large university I work for:
• Must be 8 – 15 alphanumeric characters
• Must contain upper & lower case characters
• Must contain a number
• Must NOT contain a number as the first or last character
• Must NOT contain any word found in a dictionary
• May contain punctuation marks
posted by davcoo at 5:06 AM on December 18, 2008

This thread is closed to new comments.