Re: Are users right in rejecting security advice?

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 03:41 PM 3/17/2010, Eric Case put fingers to keyboard and wrote:
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jansen, Morgan R.
> > Sent: Wednesday, March 17, 2010 12:58 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Are users right in rejecting security advice?
> >
> > This is such an interesting discussion!  I agree that security must be
> > tailored for the institution.  Relating the reasoning to the user base
> > and giving them training is key.  My husband works with me and hated
> > when we implemented more restrictive password policies.  I have found
> > that when people understand why they are more restrictive and are given
> > some tips on how to remember their passwords they are more agreeable.
>
>
> <rant>
> I do not mean to offend anyone, but is that mindset the reason that users
> reject security advice?  "The new password policy is more restrictive" vs.
> "the new password policy is simple; longer is better" (or whatever).  When
> are we going to stop saying password and start saying passphrase?  Long and
> 'simple' bets short and 'complex' everyday.  Has everyone seen Pafwert
> http://xato.net/bl/2007/01/30/pafwert-smarter-passwords?
> </rant>

We have a pretty simple policy.  Feel free to use.

<http://www.mcsweeneys.net/2007/5/1blaszak.html>

;-)


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 467-6437   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"