Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
2489 posts

Uber Geek
+1 received by user: 684


  Reply # 1605377 6-Aug-2016 12:05
Send private message

Password expiry is only one aspect also, password reuse is the other biggie,

SWMBO is a teacher at a local primary with a 90 expiry with complexity requirements, but she's learned to simply swap between two as they have no reuse time limit.

213 posts

Master Geek
+1 received by user: 92

Subscriber

  Reply # 1605450 6-Aug-2016 14:22
Send private message

jhsol:

 

... you are a school and not the GCSB ...
All the agencies I've worked for (2 in govt in NZ) have 90 day password expire dates which includes my current employer (1200 staff govt agency) so feel free to use that as precedence if you need.

 

 

The GCSB themselves recommend 90 days!

 

See The NZ Information Security Manual at http://www.gcsb.govt.nz/publications/the-nz-information-security-manual/, Part 2, Chapter 16, paragraph 16.1.22.C.01. on page 345: "Agencies MUST ... ensure that passwords are changed at least every 90 days;"


 
 
 
 


1595 posts

Uber Geek
+1 received by user: 369


  Reply # 1606352 8-Aug-2016 14:37
One person supports this post
Send private message

Ive seen both sides of this

 

One company I worked at had strict pass reset(6weeks) & pass complexity requirements

 

so....in the REAL WORLD, what happened is passwords simply were too complex & changed too often to be remembered by those who simply dont care
So, what actually happens is, passwords get written on a scrap of paper & taped to the monitor. Ive seen that, often.

 

so much for security, eh .
Security is also about managing people. Managing people is not just making rules.

 

 


I fix stuff!
1711 posts

Uber Geek
+1 received by user: 381

Trusted
Vocus
Subscriber

  Reply # 1606390 8-Aug-2016 15:43
Send private message

I would use 90 days for all passwords and 2FA for staff.

 

 


1243 posts

Uber Geek
+1 received by user: 530


  Reply # 1606391 8-Aug-2016 15:45
Send private message

The UK government’s National Technical Authority for Information Assurance advises organisations on how to protect their information and information systems. They say:

 

"...the conversation we've had with people all around the public sector hasn't been a happy one when it comes to passwords. When every system needs a different password, the complexity settings for each system are set high, and password changes are enforced frequently, the outcome is not better security... we've learnt about how trying to make passwords more secure means systems end up less secure. When we're overloaded with passwords, we all end up breaking the rules: we use the same passwords across different systems, we use coping strategies to make passwords more memorable (and thus more easily guessed), and we store passwords insecurely. Jokes about passwords on sticky notes underneath keyboards aren't jokes.

 

When we overload users with passwords, we also add cost. There's the cost of dealing with increased password resets and account lockouts, and by putting up barriers in the name of security, we reduce the functionality of systems, and make it harder for people to do their jobs.

 

...the result is that we're asking users to put in more work remembering complicated passwords, for no actual extra security benefit."

 

Their full advice on passwords is here: Password guidance: Simplifying your approach.




786 posts

Ultimate Geek
+1 received by user: 190


  Reply # 1606402 8-Aug-2016 15:58
Send private message

Thanks for all the replies.  We are going to go 90 days for all staff, we just want to get self service for forgotten passwords going before hand to reduce the increased workload for the IT staff.

 

I don't think we will go 90 days for students simply due to the problems with forgotten passwords, we go from year 0 to 13.  Expecting 5 year olds to remember a password change is a bit much (hard enough with 18 year olds)

 

Can anyone think of any reason not to use MIM 2016 (Microsoft Identity Manager) rather than one of the other 3rd party options like ureset, activate, okta?  For those that have talked about the 3rd party options is there a reason your company went with what they did?

 

 

 

(disclaimer I am not in the IT department, I'm simply a teacher who is a staff representative on the IT team)

 

 

 

 


925 posts

Ultimate Geek
+1 received by user: 606

Trusted

  Reply # 1606414 8-Aug-2016 16:14
Send private message

blackjack17:

 

 

 

Can anyone think of any reason not to use MIM 2016 (Microsoft Identity Manager) rather than one of the other 3rd party options like ureset, activate, okta?  For those that have talked about the 3rd party options is there a reason you company went with what they did?

 

 

 

 

We use Activate because of it's wider feature set (User Provisioning & Folder, Mailbox & Sharepoint user access). If you're just after password resets MIM looks like a good option.


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.