Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please do not change your password

From: Bob Bayn <bob.bayn () USU EDU>
Date: Thu, 15 Apr 2010 11:23:23 -0600
 Steve Werby [smwerby () VCU EDU] wrote, in part:

I consider the biggest password related failure of the information security community to be that we demand that users 
memorize their passwords (or alternately "don't write them down").  Sure, we don't want them to attach them to their 
monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their 
wallet inside their pocket and written down in a way that doesn't clearly reveal them?  Or storing them in an encrypted 
password vault?  We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) 
or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk.

=============
When we went from 4 char minimum passwords with no expiration about 2 years ago, our new "strong" password instructions 
included this recommendation:

"If you need to write down your password do not leave it near your computer and NEVER include the username and password 
on the same document.  Keep your password with other information that you guard carefully, like your drivers license 
and credit cards."

ref: 
http://it.usu.edu/security/htm/passwords


Bob Bayn        (435)797-2396      Security Team coordinator
  Don't let hackers use your computer when you aren't.
  Turn off your computer at the end of your work day.
Office of Information Technology   at  Utah State University
Previous By Date Next
Previous By Thread Next

Current thread: