[unisog] Password Expiration Policy

Gary Dobbins dobbins at nd.edu
Fri Oct 12 16:05:41 GMT 2007

1) Yes, since mid-2005
2) 180 days
3) same as for staff/faculty; nobody's excepted
4) at least 2 years

We devised a handy scheme for rolling out the new policy, to avoid the
"whump" sound when everyone's expires the same day.  After fully publicizing
the new policy, and answering plenty of questions...
We set everyone's password to expire at a day chosen at random within the
upcoming academic year.  This way, from the day the policy went into effect,
everyone had at least 180 days of password-life left, the average being
flat-distributed between 180-360 days.  The system emails alerts beginning
30 days in advance of expiry, with an increasing frequency (e.g. 30, 15, 10,
7, 5,4,3,2,1 days prior).

What we saw was an initial burst of folks changing theirs on the day the new
policy was announced, then almost 6 months of low change activity, and then
a very steady stream of changes as they expired over the next 6 months.

Overall, about a dozen complaints made it my way (spread flat across that
academic year, coincidentally).  Each one received a personal reply
explaining why we believe this to be an important measure, thanking them for
bearing the inconvenience, and offering further discussion.  None have

Prior to doing it, it looked like it could be an impossible culture change.
Looking back, it was relatively painless, and we have one more hole plugged
(or at least reduced in size).  Having top executive sponsorship is key, as

> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog-
> bounces at lists.dshield.org] On Behalf Of Ian Lazerwitz
> Sent: Friday, October 12, 2007 9:28 AM
> To: unisog at lists.sans.org
> Subject: [unisog] Password Expiration Policy
> Folks -
> I would like to get some information for my management regard a
> password
> expiration policy.  General University management has reservations
> about
> putting a policy like this in place.  Please take the time to answer
> the
> following questions.
> 1.  Do you have a password expiration policy in place?
> 2. If so, how many days are your passwords set to expire?
> 3. Do you enforce this for your students?
> 4. How long has this policy been in effect?
> Any additional information you care to provide will me much
> appreciated.
> Regards,
> Ian Lazerwitz, GSEC, MBA
> Information Security Officer
> Pace University
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list