Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 17 Mar 2010 04:33:31 -0400
On Wed, 17 Mar 2010 21:18:08 +1300, Russell Fulton said:
So why don't we all do this? Because 2fa is an identifiable and quantifiable cost that some part of the organisation has to pay whereas getting users to change their passwords does not come out of anyones budget.
A small but important correction here - it isn't *visibly* coming out of any *one* specific budget as a line item, because it's causing nickel-and-dime hemorrhaging out of *every* business unit's budget. Remember to include second-order effects - you noted the increased tendency to post-it the passwords, which is a security cost. Also, you have a fighting chance that a user will pick a good password when given time to change it, but you *know* they're going to pick something fast and stupid when they're looking at that 'Your password will expire in 0 days - mandatory change now' prompt. ;)
Attachment:
_bin
Description:
Current thread:
- Are users right in rejecting security advice? Allison Dolan (Mar 16)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 16)
- Re: Are users right in rejecting security advice? Stanclift, Michael (Mar 16)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
(Thread continues...)