Keeping passwords safe is a key factor in the overall security of an individual's digital identity, and consequently the services and resources to which that identity has been granted access. Access management services, such as those provided by IT Services, are involved in bringing together the individual (client) and provider of services and/or resources (SP). In this arrangement IT Services acts as an arbiter between the two parties, and is involved in assuring a level of security to each. The client expects IT Services to prevent other individuals from accessing resources using their identity; the SP expects IT Services to ensure that clients are properly authenticated in order to adequately control access to their services and resources.
This model means that IT Services must manage the access management infrastructure in such as way that it can meet the common requirements of both clients and SPs. Failure to offer the required levels of assurance would undermine the trust placed in IT Services by clients, and would require SPs to provide their own access management systems.
At a University-wide level it is desirable to maintain and use a central access management infrastructure which offers both simplicity to the client (single username, password, with a single registration procedure and uniform guarantee of identity security), and removes the burden of identity management from the many individual SPs. This requires us to define a policy for password management that assures clients and service providers alike that IT Services is taking adequate steps to maintain overall security of clients' digital identities.
Password expiry is a topic that typically evokes strong responses wherever it is discussed. There have been many internal debates at IT Services, it is a common subject raised by users, and web searches show that the issue crops up in many different types of organisation. Despite the general acceptance of other password security measures, password expiry is typically viewed as necessary by those responsible for ensuring security, and inconvenient by users.
There are two processes that result in password expiry at Oxford. The first process uses manual password expiry to force a password change when it is suspected that a password has been exposed to someone other than the account owner. The second is the automated process of periodic password expiry. While the latter cannot reduce the occurence of password compromise, it limits the potential for abuse of compromised passwords to a specific time period.
This might seem strange when set against the backdrop of a huge number of everyday websites and services that authenticate visitors but which do not implement password expiry. We are often asked to justify our policy in the light of what appears to be common practice – some of the most frequently presented arguments appear below.