Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


780 posts

Ultimate Geek
+1 received by user: 189


Topic # 199109 4-Aug-2016 19:46
Send private message

Hi

 

I work in a school with around 300 staff and 1200 students.  I am not in the ICT department but am involved in ICT at the school.

 

Just wondering what corporates do in regard to password resetting.  We are looking at moving to a 90 day password reset for staff and an annual one for students, would this be normal?  As teachers our computers do have access to a lot of very private data.  

 

We would also like to have a self service option for password resetting but apparently this is difficult?  Currently if passwords are forgotten ICT have to reset them.

 

A quick google suggests a couple of different options but does anyone have any that they would recommended?  

 

 

 

cheers

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
BDFL - Memuneh
61509 posts

Uber Geek
+1 received by user: 12234

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1604565 4-Aug-2016 20:05
3 people support this post
Send private message

Frequent password changes are bad. People tend to use something they can remember and having to change passwords frequently makes people more tempted to use something shorter and easier to remember. 

 

Just on this subject there was a wave of articles out yesterday exactly on the same notion of "too frequent is too bad" (Ars Terchnica).

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 







780 posts

Ultimate Geek
+1 received by user: 189


  Reply # 1604571 4-Aug-2016 20:13
Send private message

freitasm:

 

 

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 

 

 

 

 

I did bring up the issue of changing too often and was shut down by the IT manager saying that what is common with corporate is every 4 weeks.  I was also shut down when I suggested a separate login for our computer and software which contains the personal software.

 

With windows AD is there a 2FA software that you would recommend? MIM2016?


BDFL - Memuneh
61509 posts

Uber Geek
+1 received by user: 12234

Administrator
Trusted
Geekzone
Lifetime subscriber

13353 posts

Uber Geek
+1 received by user: 6282

Trusted
Subscriber

  Reply # 1604588 4-Aug-2016 20:38
Send private message

Three monthly is reasonable





Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

 Mac user, Windows curser, Chrome OS desired.

 

The great divide is the lies from both sides.

 

 


916 posts

Ultimate Geek
+1 received by user: 600

Trusted

  Reply # 1604591 4-Aug-2016 20:39
One person supports this post
Send private message

Disclaimer, I work for a MSP that implements and resells Activate (different part of the company which I don't work for but I'm actively involved with implementing and managing this for our customer).

For self service resets I highly recommend Activate. We heavily use most of the modules and once in place it requires very little admin to manage and is very customisable to suit your needs.

http://activatelive.com 


471 posts

Ultimate Geek
+1 received by user: 145


  Reply # 1604628 4-Aug-2016 21:20

At work we have to change some of our website passwords on a regular basis.

 

We are not IT and consider this just a pain in the a***. Most people just select a simple password that has a number on the end, eg Halfwit1.

 

You can guess what the next password is.

 

Gets around the need to change, but isn't very secure.

 

 


mdf

1998 posts

Uber Geek
+1 received by user: 590

Trusted
Subscriber

  Reply # 1604646 4-Aug-2016 22:01
Send private message

A large organisation I have some involvement with has just shifted to Okta. Apparently one of the market leaders in the space.


1243 posts

Uber Geek
+1 received by user: 530


  Reply # 1604759 5-Aug-2016 08:31
Send private message

While I agree with everything @freitasm said (infrequent changes, different passwords for different applications/logins, 2FA if possible) in my experience almost every workplace will require regular password changes. What varies is the frequency.

 

I don't know if your IT manager is correct in saying four weeks is common in the business world. I have only worked in one place where it was that frequent and it was a pain in the @$$. As others have said, it encourages bad habits (reusing words and changing a number at the end, rotating through a list of half a dozen that you use keep reusing, writing them down, etc.). In my opinion three-monthly is not unreasonable - it's the interval used by both my current employer and my previous one. Coming up with four passwords a year isn't particularly onerous.


2525 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 1604784 5-Aug-2016 09:01
Send private message

Many of the major security-oriented standards and guidelines (e.g. PCI DSS) use 90 days as an expected baseline for password reset frequency in a business environment containing what could be deemed secure data.





Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

4991 posts

Uber Geek
+1 received by user: 1326

Trusted
Microsoft

  Reply # 1604861 5-Aug-2016 10:30
One person supports this post
Send private message

as a school you have access to very low cost Microsoft solutions for both 2FA and Self Service Password Management

 

 checkout

 

Self Service Password Reset feature

 

Azure for Multi-Factor Authentication


4991 posts

Uber Geek
+1 received by user: 1326

Trusted
Microsoft

  Reply # 1604889 5-Aug-2016 10:55
One person supports this post
Send private message

you may want to have your IT manager "security guy" read this

 

 

 

Just because security people have been enforcing mandatory password expiration methods for years does not make them right.

 

 

 

http://research.microsoft.com/pubs/265143/Microsoft_Password_Guidance.pdf

 

 

 

mandatory password expiration periods should either not be enforced at all or should be lengthened considerably longer

 

short, mandatory, expiry periods does encourage password root word repetition.

 

forcing password changes helps offset the issue of password re-use on other web sites, which cannot be mitigated any other way. Most web sites don’t force users to change passwords, but if the corporate one does, then it’s going to be hard for a user to reuse their same corporate password across a bunch of unrelated web sites over time. It could be that password expiry saves us from the other threat more often than bad guys use it for their advantage in guessing corporate passwords.


625 posts

Ultimate Geek
+1 received by user: 42


  Reply # 1605110 5-Aug-2016 17:13
Send private message

Across the industry there is a growing trend towards pushing out password expiry. Anything from 180 to 365 days is becoming common. With focus instead bring placed on password composition and technology like 2 factor.

6310 posts

Uber Geek
+1 received by user: 1080

Trusted
Lifetime subscriber

  Reply # 1605137 5-Aug-2016 17:58
Send private message

For what it's worth, a year ago we changed from six weeks to three months, and a couple of months ago increased it to six months if your password meets certain complexity requirements. I have no idea how hard that is to configure though!


543 posts

Ultimate Geek
+1 received by user: 106


  Reply # 1605176 5-Aug-2016 19:03
One person supports this post
Send private message

We are looking at recommending the removal of the expiry policy, but increasing the complexity and stressing to user that this password ( for a school system) should never be used anywhere else due to the nature of data that can be accessed. 2FA is also on the cards

85 posts

Master Geek
+1 received by user: 21


  Reply # 1605263 6-Aug-2016 06:54
Send private message

blackjack17:

 

freitasm:

 

 

 

I personally just make sure the password I use is unique for each service and where possible use 2FA (either a software authenticator token or a SMS). 

 

 

 

 

I did bring up the issue of changing too often and was shut down by the IT manager saying that what is common with corporate is every 4 weeks.  I was also shut down when I suggested a separate login for our computer and software which contains the personal software.

 

With windows AD is there a 2FA software that you would recommend? MIM2016?

 

 

https://technet.microsoft.com/en-us/magazine/ff741764.aspx

 

There is no one size fits all requirements but if you need evidence MS recommends 30, 60 or 90 days for organisations where security is a concern and 120, 150, 180 for where it is not. 90 days is a perfectly good compromise on still fitting within the MS recommended security profile whilst admitting that you are a school and not the GCSB (or some other high security information store). Usually IT strategies are decided upon by a group of people (ie Senior Leadership Team or similar) so putting the idea forward with some evidence that 90 days is practicable and still secure for a school then you shouldnt have too much resistance from the group.

 

All the agencies i've worked for (2 in govt in NZ) have 90 day password expire dates which includes my current employer (1200 staff govt agency) so feel free to use that as precedence if you need.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.