[unisog] Password Expiration Policy

Les Mitchell mitchell at usq.edu.au
Fri Oct 12 22:09:14 GMT 2007

1. Yes
2. 90 days, logon & email reminders set to start 14 days before expiration
3. No, reminder to change password displayed on logon after each 90 days.
Also includes reminder of University rules/regulations acceptance etc.
4. Several years. Policy approved at senior management level prior to

Minimum length of 6 characters (recommend 8)
History of 10 last passwords
Account lockout after 5 contiguous incorrect attempts
Must change initial password on first use

The policy was fairly well received by staff without too many complaints.
Especially compared to later addition of: Do not display last logon name;
and, Activation of password protected screen saver after 15 minutes (I

Most difficulty was associated with adopting this policy for system accounts
- e.g. Change local administrator account password on all SOE desktops;
Change privileged system accounts on servers and applications.
[Administrators can sometimes be harder to convince than clients ;-) ]

Les Mitchell

On 12/10/07 11:28 PM, "Ian Lazerwitz" <ilazerwitz at pace.edu> wrote:

> Folks -
> I would like to get some information for my management regard a password
> expiration policy.  General University management has reservations about
> putting a policy like this in place.  Please take the time to answer the
> following questions.
> 1.  Do you have a password expiration policy in place?
> 2. If so, how many days are your passwords set to expire?
> 3. Do you enforce this for your students?
> 4. How long has this policy been in effect?
> Any additional information you care to provide will me much appreciated.
> Regards,
> Ian Lazerwitz, GSEC, MBA
> Information Security Officer
> Pace University
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

This email (including any attached files) is confidential and is for the
intended recipient(s) only.  If you received this email by mistake,
please, as a courtesy, tell the sender, then delete this email.

The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland.  Although all
reasonable precautions were taken to ensure that this email contained no
viruses at the time it was sent we accept no liability for any losses
arising from its receipt.

The University of Southern Queensland is a registered provider of
education with the Australian Government (CRICOS Institution Code No's.
QLD 00244B / NSW 02225M)

More information about the unisog mailing list