Re: Please do not change your password

[Steve Werby <smwerby () VCU EDU>]

Paul, thanks for sharing that story!  That user gets points for creativity.

I'm a greedy realist - I'd love for my users to memorize our university
enterprise password, but I don't want them to use it anywhere else and
it's unreasonable to expect both.  I like the USU's approach that Bob
Bayn described later in this thread.

--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf

On 4/15/2010 12:33 PM, Paul Kendall wrote:
> There are those of us in the security profession who have advocated
> this for a long time. However, users also have a tendency to write
> their password down with every intention of putting it away securely,
> and then get distracted or otherwise get busy and leave it on the desk
> or in the desk drawer. Hence the tendency away from writing it down.
>
> Something you may not have thought about: several years ago (mainframe
> green-screen days) we had a situation where we just absolutely knew
> this individual was writing down their password. Searched all over,
> could not find it. So one of my team discreetly watched as they logged
> in one day. They entered username, and the adjusted the monitor
> slightly. That's when he saw it -- written in the dust on the screen.
>
> Password vaults are generally a better way to do this, providing users
> will actually use them.
>
> *Paul*
>
> ========================================
> Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP
>
> Senior Consultant
> Accudata Systems, Inc.
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Allison Dolan
> *Sent:* Thursday, April 15, 2010 11:05 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Please do not change your password
>
> good point!    given the number of security professionals who write
> down passwords, this is a case of 'do as I say, not as I do'...
>
> ......Allison  Dolan (617-252-1461)
>
>
>
> On Apr 15, 2010, at 11:24 AM, Steve Werby wrote:
>
>
>
> I consider the biggest password related failure of the information
> security community to be that we demand that users memorize their
> passwords (or alternately "don't write them down").  Sure, we don't
> want them to attach them to their monitor or hide them under their
> keyboard, but do we really believe there's a significant risk if
> they're kept in their wallet inside their pocket and written down in a
> way that doesn't clearly reveal them?  Or storing them in an encrypted
> password vault?  We're causing them to re-use passwords
> (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or
> create passwords that follow a similar format, which puts the systems
> we're trying to protect at significant risk.
>
> Long + unique + write them down securely