Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please do not change your password

From: Allison Dolan <adolan () MIT EDU>
Date: Wed, 14 Apr 2010 10:49:32 -0400
RE: the auditors - If you are talking about internal auditors, in
general, they do not make the rules - they check to make sure you are
following the rules.  So the question is, who made those rules? (and
I suspect the answer, in many cases, would come back to the IT dept....)


Allison F. Dolan
Program Director, Protecting Personally Identifiable Information
Massachusetts Institute of Technology



On Apr 14, 2010, at 9:04 AM, Justin Sherenco wrote:


Hello,
I came across an interesting article on password changes.  Author
Cormac Herley of Microsoft makes a good case albeit just a cost-
benefit analysis.  I had to go back and think of why these types of
policies were created in the first place.  I came to my own
conclusion that they were created before the days of complex
password (passphrase) enforcement and the ability to automatically
lock out accounts after X amount of failed log-in attempts.

Do you think he can convince the auditors?


http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/
please_do_not_change_your_password/?page=full

Regards,
Justin


-------------------------------------
Justin Sherenco
Security Analyst
734-487-8574
Easten Michigan University
http://it.emich.edu/security
Previous By Date Next
Previous By Thread Next

Current thread: