Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Andrea Beesing <amb3 () CORNELL EDU>
Date: Sun, 25 Nov 2007 19:28:47 -0500
Eric, This statement was the subject of some debate among staff who participated in the drafting of the university policy, the final version of which is still pending. In the current draft the wording has been changed to better capture the intent: "To avoid unauthorized access to IT resources, users must apply the following rules for using passwords associated with a Cornell electronic identifier: --Store the password in a secure location --Do not collect passwords from others or store them anywhere" Although not part of the policy per se, but discussed as an implementation detail, is a set of recommendations for users who find it necessary to store their own passwords somewhere for retrieval later. The use of specific encryption tools could be included in the recommendations. I expect that as we approach completion of the policy over the next several weeks we'll re-open this discussion. It' possible that the above wording will be refined as well. Andrea Beesing Asst Dir, IT Security Cornell Information Technologies 120 Maple Ave. Ithaca, NY 14853 607 254-7441 Eric Case wrote:
At 04:35 PM 11/20/2007 -0500, Andrea Beesing wrote:I am sending you a link to an interim policy which includes information about our current password standard. When we implemented the password complexity rules we chose not to include password aging/expiration. It's very possible that this decision could be revisited in the future as we refine our approach to data classification and security. http://www.cit.cornell.edu/policy/interim/AuthenticationITR.htmlIt says "The password must never be shared, written down, or stored in electronic form." Does that mean programs like Password Safe can't be used to store an encrypted password? What about the authentication itself? It stores the encrypted password in electronic form. -Eric Eric Case, CISSP <ecase () Arizona edu> Information Security Officer College of Engineering <http://www.Engr.Arizona.edu> 1127 E James E. Rogers Way Room 200 Tucson, AZ 85721-0020 Mobile Phone 520-275-6436
-- Andrea Beesing Asst Dir, IT Security Cornell Information Technologies 120 Maple Ave. Ithaca, NY 14853 607 254-7441
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)