Minutes of Special ACAC Summer Meeting of June 10, 2014, submitted by C. Wigley
Representatives of the Academic Computing Advisory Committee (ACAC) were invited by Vice President Marco Benedetti and ITS Commander-in-Chief and all-round nice guy Walt Drabek to discuss the possibility of Canisius adopting a password aging policy. The representatives met on June 10 in President’s Board Room. Attendees included Chuck Wigley, Pat Johnson, Marco Benedetti , Mark Gallimore, Scott Clark, Leah MacVie, Lisa Mastropaolo, Walt Drabek, Bob Davis, and Michael Wood.
In light of recent changes during the past five years, including, inter alia, the great increase in the number of users using laptop computers, the increasingly greater risk of getting “hacked,” the increased use of computers to use and transfer financial information, the increased use of sophisticated attack vectors by attackers, and the total quantum of computer-stored information, the group, generally (but without a vote being taken), reached an overall consensus favoring biannual (twice per year) password changes.
The plan is to be implemented after school resumes for the 2014-2015 school year so that faculty and students have time to “settle in” and so that ACAC as a representative body can discuss and vote on such a policy at its September 10th meeting. Under the plan, users will receive a 30 day notice, biannually, stating that the user’s password is about to expire and must be changed. Individuals will, then, be able to change their passwords and can, if they desire, use any previous password that has not been used for at least 2 semesters. Individuals failing to change in a timely manner will, still, be able to access the password change feature through the portal by using the “expired” password to set a new password. “Expired passwords” will not work for any other log-in feature.
At the meeting, ACAC Chair Chuck Wigley initially spoke strongly against adopting a password aging policy. Objections raised included 1) shoulder surfing problems, 2) user physical display/storage of cryptic passwords (therefore, easily stolen/discovered), 3) “Helpdesk Mania,” and 4) antagonizing faculty. In addition, he forwarded copies of the Gartner research report from 2005 that stood in opposition to password aging. The argument that swayed him to change his position was Vice President Benedetti’s observation that insurance companies strongly favor password aging policies. Wigley observed that actuaries’ risk assessment skills, as used in insuring clients, are exceedingly good and in cases of determining whether there is greater risk of loss from having vs. not having such a policy it would be prudent to go with their risk analysis.
Walt pointed out that 20 of the 28 Jesuit schools have such a policy in place (71.42%). Lisa brought up the attack vectors problem, Mike spoke of D.O.E. requirements and the ease of changing passwords, and Leah spoke of the importance of educating users about the policy and how to implement it effectively. Pat and Marco addressed the “best practices” issue. A point raised by long-standing ACAC member Joe Glynn (retired) from his home in Arizona was that the lifetime email feature for retirees should continue. That policy will continue and, for individuals failing to change their passwords within the 30 day notice, all emails, etc., will continue going into the person’s account and, after setting a new password, will be accessible.
It was clear throughout this meeting that everyone’s input was welcome and that input mattered. Appreciation was expressed at 1:05 p.m. when the meeting started and, again, at 1:58 p.m. when the meeting ended for the collaborative approach extended by Marco and Walt. ACAC will formally vote for or against the policy at its September 10th meeting. Given the significant change in circumstances over the past five years, as noted, it seems likely that the vote will support such a policy.