Educause Security Discussion mailing list archives
Re: Password Security
From: David Seidl <dseidl () ND EDU>
Date: Tue, 23 Oct 2007 16:25:16 -0400
I ran into Gary in the hall and mentioned what I tell people who can't remember passwords/passphrases, and who can't or won't use a Password Safe style application. The spiel goes something like this: If you can't remember your passphrases, then you should write down part, and remember the rest. A list of phrases with a common key portion missing is quite reasonable as long as it isn't easily reverse engineered. The incidence of losing both your wallet, and having someone learn your keyphrase is likely to be very low unless you're in the bad habit of muttering as you type it... If you do lose the battle over the cards, turn it into a user education opportunity - "How many of you in this room have lost your wallet, or had it stolen?" followed by "Who has their complete password written down in their wallet next to their university ID card?" should be a winning combination. David -- ------------------------------------------------------------ David Seidl, CISSP University of Notre Dame, Office of Information Technologies Gary Dobbins wrote:
The legendary advice "never write passwords down" originated from the days when officemates were among the major threats, 3270 terminals were new, and post-it notes soon became the classic example of that threat vector. Now that the Internet is the usual vector for password attack, IMO having a stronger password is very important, even if they have to keep a copy in their wallet (or somewhere reasonably safe) because it's not memorable. The risk here depends on the value of the asset being protected by that password, and whether these people are likely to choose bad (but memorable) passwords if they are prohibited from writing them down. Let's presume the asset is not of unusual value. If it were, it may be too permissive to let them write passwords. If the asset is not unusual, I would ensure that the passwords are strong, then let them keep them in their wallet, especially if they're infrequent users. You'll save everyone "lost password" headaches, and fewer of their accounts will end up in the hands of hostile-persons across the net.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Password Security, (continued)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)
- Re: Password Security Paul Russell (Oct 24)
- Re: Password Security Shalla, Kevin (Oct 24)
- Re: Password Security Gary Dobbins (Oct 24)
- Re: Password Security Valdis Kletnieks (Oct 25)
- Re: Password Security Scholz, Greg (Oct 25)