I've had a request from one our governors regarding our password policy for students. She wants to know what other schools enforce as she thinks ours should be along the lines of at least 8 characters including numbers and symbols and a history of ten passwords. I think is overkill for students but I would welcome any comments.
I'd agree it's overkill as a blanket policy but maybe in this day and age it's time to start pushing it as an important lesson. Maybe a little too much for year 7's though.
However, as has already been proven and mentioned, passwords are better off being a mixture of "odd" and unrelated words even if they are dictionary. It surprised me how many of our students have sentences for passwords. Works rather well - starts with a capital (maybe more), has spaces. Difficult to enforce though!
It would almost certainly increase your workload if you deal with password changes, or if staff are able to change passwords it would quite likely add time to the start of lessons.
Experience has shown that a history of any more than 3 passwords will leave you with a lot of angry users. If you really want to piss off your users, enforce that passwords have to differ from the previous one by several characters. We enforce 8 characters, mixture of letters and numbers, but no expiry. We have lockout after three failed attempts to login and students have to come and see us for unlock.
A few weeks ago, we had a flood of students coming in with locked accounts. One of the students was noting down user ids, and trying random passwords to lock the account for "fun". If I had my way, he'd be hanging up in the server room by his gonads. As it happens, SMT had us disable his account for a week and they had a word with him. It's all gone away now and we're back to the usual trickle of locked accounts. Bad password entry is now because the caps lock is on or simple "sausage fingers".
We have minimum 6 characters, last 3 remembered, 90 day expiry.
This does not apply to the Junior School though - they get no expiry.
PC and email have no expiry and I no enforced rule for either. Its bad enough some forget what they set it as yesterday let alone what their last three were.
We as staff have no rule on PC but email has to have at least 3 numbers.
i just find if you enforce complex passwords you just end up with monitors/desks with post it notes on them with the password making it less secure
Thanks for all your views. The other complication we have is that we a significant proportion of students with dyslexia which obviously causes issues.
At the moment we have four character minimum which expires at the standard 42 days. We are also still running 2003 AD mode because of a legacy DC/Exchange server that we are decommissioning during the summer holidays. Once we upgrade to 2008 AD mode we can at least force the staff to use a strong password without upsetting the students too much!
minimum of 5 characters, no history.
One day, when someone tells me to change them and what to, they'll take advantage of the multiple password policies in 2008 R2 and KS3, KS4 and KS5 will have progressively more complex requirements.
Two unrelated four or five letter words eg cart.next
No expiry at all
We have complex on for students, but doesn't expire.
Staff have complex, change every 31 days, cant use previous password.
I had change every 30 days for both, but students are useless, especially as we are a middle school so kinda stuck in the middle of age ranges.