Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSelf Service Password Reset and corporate password policy
blackjack17

1705 posts

Uber Geek


#199109 4-Aug-2016 19:46
Send private message

Hi

 

I work in a school with around 300 staff and 1200 students.  I am not in the ICT department but am involved in ICT at the school.

 

Just wondering what corporates do in regard to password resetting.  We are looking at moving to a 90 day password reset for staff and an annual one for students, would this be normal?  As teachers our computers do have access to a lot of very private data.  

 

We would also like to have a self service option for password resetting but apparently this is difficult?  Currently if passwords are forgotten ICT have to reset them.

 

A quick google suggests a couple of different options but does anyone have any that they would recommended?  

 

 

 

cheers

 

 




Electric kiwi signup credit Sharesies credit

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
freitasm
BDFL - Memuneh
79316 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1604565 4-Aug-2016 20:05
Send private message

Frequent password changes are bad. People tend to use something they can remember and having to change passwords frequently makes people more tempted to use something shorter and easier to remember. 

 

Just on this subject there was a wave of articles out yesterday exactly on the same notion of "too frequent is too bad" (Ars Terchnica).

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 



blackjack17

1705 posts

Uber Geek


  #1604571 4-Aug-2016 20:13
Send private message

freitasm:

 

 

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 

 

 

 

 

I did bring up the issue of changing too often and was shut down by the IT manager saying that what is common with corporate is every 4 weeks.  I was also shut down when I suggested a separate login for our computer and software which contains the personal software.

 

With windows AD is there a 2FA software that you would recommend? MIM2016?




Electric kiwi signup credit Sharesies credit

freitasm
BDFL - Memuneh
79316 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1604581 4-Aug-2016 20:25
Send private message

Some people...




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 



MikeB4
18435 posts

Uber Geek

ID Verified
Trusted

  #1604588 4-Aug-2016 20:38
Send private message

Three monthly is reasonable

Andib
1364 posts

Uber Geek

ID Verified
Trusted

  #1604591 4-Aug-2016 20:39
Send private message

Disclaimer, I work for a MSP that implements and resells Activate (different part of the company which I don't work for but I'm actively involved with implementing and managing this for our customer).

For self service resets I highly recommend Activate. We heavily use most of the modules and once in place it requires very little admin to manage and is very customisable to suit your needs.

http://activatelive.com 




<# 
       .DISCLAIMER
       Anything I post is my own and not the views of my past/present/future employer.
#>

k1w1k1d
1530 posts

Uber Geek


  #1604628 4-Aug-2016 21:20
Send private message

At work we have to change some of our website passwords on a regular basis.

 

We are not IT and consider this just a pain in the a***. Most people just select a simple password that has a number on the end, eg Halfwit1.

 

You can guess what the next password is.

 

Gets around the need to change, but isn't very secure.

 

 

mdf

mdf
3523 posts

Uber Geek

Trusted

  #1604646 4-Aug-2016 22:01
Send private message

A large organisation I have some involvement with has just shifted to Okta. Apparently one of the market leaders in the space.

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
andrew027
1286 posts

Uber Geek


  #1604759 5-Aug-2016 08:31
Send private message

While I agree with everything @freitasm said (infrequent changes, different passwords for different applications/logins, 2FA if possible) in my experience almost every workplace will require regular password changes. What varies is the frequency.

 

I don't know if your IT manager is correct in saying four weeks is common in the business world. I have only worked in one place where it was that frequent and it was a pain in the @$$. As others have said, it encourages bad habits (reusing words and changing a number at the end, rotating through a list of half a dozen that you use keep reusing, writing them down, etc.). In my opinion three-monthly is not unreasonable - it's the interval used by both my current employer and my previous one. Coming up with four passwords a year isn't particularly onerous.

Inphinity
2780 posts

Uber Geek


  #1604784 5-Aug-2016 09:01
Send private message

Many of the major security-oriented standards and guidelines (e.g. PCI DSS) use 90 days as an expected baseline for password reset frequency in a business environment containing what could be deemed secure data.

nathan
5695 posts

Uber Geek
Inactive user


  #1604861 5-Aug-2016 10:30
Send private message

as a school you have access to very low cost Microsoft solutions for both 2FA and Self Service Password Management

 

 checkout

 

Self Service Password Reset feature

 

Azure for Multi-Factor Authentication

nathan
5695 posts

Uber Geek
Inactive user


  #1604889 5-Aug-2016 10:55
Send private message

you may want to have your IT manager "security guy" read this

 

 

 

Just because security people have been enforcing mandatory password expiration methods for years does not make them right.

 

 

 

http://research.microsoft.com/pubs/265143/Microsoft_Password_Guidance.pdf

 

 

 

mandatory password expiration periods should either not be enforced at all or should be lengthened considerably longer

 

short, mandatory, expiry periods does encourage password root word repetition.

 

forcing password changes helps offset the issue of password re-use on other web sites, which cannot be mitigated any other way. Most web sites don’t force users to change passwords, but if the corporate one does, then it’s going to be hard for a user to reuse their same corporate password across a bunch of unrelated web sites over time. It could be that password expiry saves us from the other threat more often than bad guys use it for their advantage in guessing corporate passwords.


PANiCnz
990 posts

Ultimate Geek


  #1605110 5-Aug-2016 17:13
Send private message

Across the industry there is a growing trend towards pushing out password expiry. Anything from 180 to 365 days is becoming common. With focus instead bring placed on password composition and technology like 2 factor.

Behodar
10517 posts

Uber Geek

Trusted
Lifetime subscriber

  #1605137 5-Aug-2016 17:58
Send private message

For what it's worth, a year ago we changed from six weeks to three months, and a couple of months ago increased it to six months if your password meets certain complexity requirements. I have no idea how hard that is to configure though!

clinty
1183 posts

Uber Geek

Lifetime subscriber

  #1605176 5-Aug-2016 19:03
Send private message

We are looking at recommending the removal of the expiry policy, but increasing the complexity and stressing to user that this password ( for a school system) should never be used anywhere else due to the nature of data that can be accessed. 2FA is also on the cards

jhsol
102 posts

Master Geek


  #1605263 6-Aug-2016 06:54
Send private message

blackjack17:

 

freitasm:

 

 

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 

 

 

 

 

I did bring up the issue of changing too often and was shut down by the IT manager saying that what is common with corporate is every 4 weeks.  I was also shut down when I suggested a separate login for our computer and software which contains the personal software.

 

With windows AD is there a 2FA software that you would recommend? MIM2016?

 

 

https://technet.microsoft.com/en-us/magazine/ff741764.aspx

 

There is no one size fits all requirements but if you need evidence MS recommends 30, 60 or 90 days for organisations where security is a concern and 120, 150, 180 for where it is not. 90 days is a perfectly good compromise on still fitting within the MS recommended security profile whilst admitting that you are a school and not the GCSB (or some other high security information store). Usually IT strategies are decided upon by a group of people (ie Senior Leadership Team or similar) so putting the idea forward with some evidence that 90 days is practicable and still secure for a school then you shouldnt have too much resistance from the group.

 

All the agencies i've worked for (2 in govt in NZ) have 90 day password expire dates which includes my current employer (1200 staff govt agency) so feel free to use that as precedence if you need.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Gen Threat Report Reveals Rise in Crypto, Sextortion and Tech Support Scams
Posted 7-Aug-2025 13:09

Logitech G and McLaren Racing Sign New, Expanded Multi-Year Partnership
Posted 7-Aug-2025 13:00

A Third of New Zealanders Fall for Online Scams Says Trend Micro
Posted 7-Aug-2025 12:43

OPPO Releases Its Most Stylish and Compact Smartwatch Yet, the Watch X2 Mini.
Posted 7-Aug-2025 12:37

Epson Launches New High-End EH-LS9000B Home Theatre Laser Projector
Posted 7-Aug-2025 12:34

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright