Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Bob Bayn <bob.bayn () USU EDU>
Date: Thu, 15 Apr 2010 11:23:23 -0600
Steve Werby [smwerby () VCU EDU] wrote, in part: I consider the biggest password related failure of the information security community to be that we demand that users memorize their passwords (or alternately "don't write them down"). Sure, we don't want them to attach them to their monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their wallet inside their pocket and written down in a way that doesn't clearly reveal them? Or storing them in an encrypted password vault? We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk. ============= When we went from 4 char minimum passwords with no expiration about 2 years ago, our new "strong" password instructions included this recommendation: "If you need to write down your password do not leave it near your computer and NEVER include the username and password on the same document. Keep your password with other information that you guard carefully, like your drivers license and credit cards." ref: http://it.usu.edu/security/htm/passwords Bob Bayn (435)797-2396 Security Team coordinator Don't let hackers use your computer when you aren't. Turn off your computer at the end of your work day. Office of Information Technology at Utah State University
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
(Thread continues...)