Educause Security Discussion mailing list archives
Re: passwords
From: Kent Percival <percival () UOGUELPH CA>
Date: Sun, 18 Oct 2009 16:15:52 -0400
Should we be advocating for better networked Access Management solutions which reduce password proliferation without requiring more complicated solutions than necessary for the user? Many of us have adopted Single-Sign-On solutions for our campus. We should also encourage · OpenId for lower risk social networking or general “cloud” applications. With Google, Yahoo, etc. getting behind OpenId, this access federation solution will become much more pervasive. It is also a good solution for lower-risk campus applications that extend to audiences beyond the immediate community, including prospective students. For such external applications we should encourage our community to adopt such solutions for their general internet activities to improve their security hygiene. · SAML 2.x (e.g. Shibboleth) for higher risk applications operated outside the immediate campus security domain (e.g. multi-institutional shared, or commercially provided, such as library resource providers). Access to these applications depend on the user’s relationship to the institution – SAML can transmit such institutional role information to service provider authorization policies, while also protecting identity leaks, all while relying on the institution’s Single-Sign-On credentials for authentication. ....Kent Kent Percival, M.Sc., P.Eng. Manager, Research Partnerships Computing and Communications Services University of Guelph Guelph, ON N1G 2W1 _
-----Original Message-----
From: Gary Dobbins [mailto:dobbins () ND EDU]
Sent: October 17, 2009 19:16
Subject: Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236)
Has anyone else tried lastpass (.com)? I've found it to be an option for handling these problems. It will
randomly generate passwords, remember them all, one for each place you visit, and (presuming their
answers to how they handle the data are true) the storehouse of your passwords never leaves your
computer unencrypted by a master password only you know.
I'd be interested to hear if others find this valid, or if the service has a serious Achilles Heel.
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan
Sent: Saturday, October 17, 2009 6:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-
236)
Matt said:
I tend use truly random passwords from a
generator or those similar in style to what Don
mentioned.
It's of course ideal to use long, random, meaningless strings as passwords. It's
also ideal to have a different password for each application (server, e-mail,
banking site, etc. etc.) that we log into. But I have two e-mail accounts (three if
we include the one that AT&T gives me as part of my home setup), a Wayne
State single sign-on password, my bank, my credit card, my retirement accounts,
and then the less risky ones like Amazon, Zagat, Cooks Illustrated, Tripit, and I
could go on (as in fact I have...)
It's simply impossible to remember all these, unless I repeat the passwords, or
use a password wallet (which itself is clumsy, and requires its own password). As
others have said, the password paradigm is broken, and, as long as two-factor is
too expensive we're going to continue to have trouble, and it's not the users'
fault. We can't ask them to do twelve impossible things before breakfast and slap
their wrists when they don't. Eventually they will slap back, and they will be
right.
Geoffrey S. Nathan
Faculty Liaison, C&IT
and Associate Professor, Linguistics Program
Wayne State University
Detroit MI 48230
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)
----- "SECURITY automatic digest system"
<LISTSERV () LISTSERV EDUCAUSE EDU> wrote:
From: "SECURITY automatic digest system"
<LISTSERV () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Saturday, October 17, 2009 12:00:01 AM GMT -05:00 US/Canada Eastern
Subject: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236)
SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) LISTSERV mailing
list manager LISTSERV 15.0
Browse the SECURITY online archives.
Anti-Virus FilterPowered by the LISTSERV Email List Manager
Attachment:
smime.p7s
Description:
Current thread:
- Re: passwords Kent Percival (Oct 18)