Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please do not change your password

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Thu, 15 Apr 2010 19:03:23 -0700
At least they did not file their passwords in their rolodex under P on a
card marked passwords with all the passwords, user names and systems they
went with.

-Eric







Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Kendall
Sent: Thursday, April 15, 2010 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password



There are those of us in the security profession who have advocated this for
a long time. However, users also have a tendency to write their password
down with every intention of putting it away securely, and then get
distracted or otherwise get busy and leave it on the desk or in the desk
drawer. Hence the tendency away from writing it down.



Something you may not have thought about: several years ago (mainframe
green-screen days) we had a situation where we just absolutely knew this
individual was writing down their password. Searched all over, could not
find it. So one of my team discreetly watched as they logged in one day.
They entered username, and the adjusted the monitor slightly. That's when he
saw it - written in the dust on the screen.



Password vaults are generally a better way to do this, providing users will
actually use them.



Paul

========================================
Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP

Senior Consultant
Accudata Systems, Inc.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Thursday, April 15, 2010 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password



good point!    given the number of security professionals who write down
passwords, this is a case of 'do as I say, not as I do'...



......Allison  Dolan (617-252-1461)







On Apr 15, 2010, at 11:24 AM, Steve Werby wrote:



I consider the biggest password related failure of the information security
community to be that we demand that users memorize their passwords (or
alternately "don't write them down").  Sure, we don't want them to attach
them to their monitor or hide them under their keyboard, but do we really
believe there's a significant risk if they're kept in their wallet inside
their pocket and written down in a way that doesn't clearly reveal them?  Or
storing them in an encrypted password vault?  We're causing them to re-use
passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or
create passwords that follow a similar format, which puts the systems we're
trying to protect at significant risk.

Long + unique + write them down securely
Previous By Date Next
Previous By Thread Next

Current thread: