Re: Password Security

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Gene has done what we should always do in this sort of situation, look
at the risks and consequences and assess the impact of failure.

There is a more subtle failure at the root of this question, that is the
encouragement to act in a manner that is insecure, thus propagating
inferior practice.  It builds upon a culture immune to security as a
significant daily priority. 

That being said there are those in our community with significant
experience and clout suggesting just as an early responder did, that
writing down passwords is the lesser of two evils.  In this case damned
if you do and damned if you don't - one is a continual incremental
operational drain, the other is the potential of a large-scale public
event and terrible publicity not to mention possible fines and even
criminal liability. 

This simply goes to prove that the password alone as a security
construct is horribly broken.  We have to move on to simple two-factor
solutions or we will never nip this problem adequately.  Key-loggers,
shoulder surfers, insider criminals and on and on will continue to
exploit the weaknesses of a typed secret.  Just think about those cash
cards in your pocket - a very simple key is possible because it is
combined with possession of something that is difficult to attain.  (Not
saying this is a perfect model, just a whole lot better than remembering
132 complex and constantly changing passwords.)

We really need to get more corporate in this aspect - some sort of
ID/Badge/Token/USB Key/proximity device/something plus a simple password
for every constituent.  Now that bad officemate has not only to learn
the code, he or she has to actually steal the other half of the
credential, something that places the constraint of possibly being seen
or caught into the picture, and something that eliminates the vast
majority of the potential remote attackers from gaining significant
authority.  

Perhaps Gene has at his fingertips some sort of cost comparison of the
cumulative repetitive support and breach issues vs. the cost of
implementing two-factor systems today?  (I wouldn't put it past him,
he's always got loads of insightful data!) It's got to be getting more
even these days.

One can dream, can't one?  I know auditors have been castigated
throughout history for making this type of recommendation, and I've
avoided it for years (as it really was too expensive and complicated to
be practical), but the truth is it is finally becoming affordable, and
the public outcry is getting great enough, and the risk is proving
wide-spread enough to make the message germane.

Best regards,

Jim 


*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
-----Original Message-----
From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] 
Sent: Tuesday, October 23, 2007 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Security

Simplest argument?

If an employee has identity/assets/benefits stolen as a result of  
theft of one of these cards, there is no shortage of experts who  
could testify -- in a negligence lawsuit against the university --  
that it is known bad practice to write sensitive passwords where they  
can be found.  That could mean increased damages against the  
university from any aggrieved employee.

Oh, and now that this threat is online, any aggrieved employees (or  
their attorneys) will be able to find it to help identify said  
experts and show that the university had prior notice.

So, as with any standard risk management, it is up to university  
authorities to decide if it is worth the risk of losing a messy,  
expensive lawsuit that might be enabled by their policy.

:-)