Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Allison Dolan <adolan () MIT EDU>
Date: Fri, 16 Apr 2010 07:55:35 -0400
Of course you don't put them all under P - they are each on their own card, under the appropriate letter (B for bank, I for Investments, etc)
......Allison Dolan (617-252-1461) On Apr 15, 2010, at 10:03 PM, Eric Case wrote:
At least they did not file their passwords in their rolodex under P on a card marked passwords with all the passwords, user names and systems they went with.-Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcaseFrom: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul KendallSent: Thursday, April 15, 2010 9:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your passwordThere are those of us in the security profession who have advocated this for a long time. However, users also have a tendency to write their password down with every intention of putting it away securely, and then get distracted or otherwise get busy and leave it on the desk or in the desk drawer. Hence the tendency away from writing it down.Something you may not have thought about: several years ago (mainframe green-screen days) we had a situation where we just absolutely knew this individual was writing down their password. Searched all over, could not find it. So one of my team discreetly watched as they logged in one day. They entered username, and the adjusted the monitor slightly. That’s when he saw it – written in the dust on the screen.Password vaults are generally a better way to do this, providing users will actually use them.Paul ======================================== Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP Senior Consultant Accudata Systems, Inc.From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison DolanSent: Thursday, April 15, 2010 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your passwordgood point! given the number of security professionals who write down passwords, this is a case of 'do as I say, not as I do'.........Allison Dolan (617-252-1461) On Apr 15, 2010, at 11:24 AM, Steve Werby wrote:I consider the biggest password related failure of the information security community to be that we demand that users memorize their passwords (or alternately "don't write them down"). Sure, we don't want them to attach them to their monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their wallet inside their pocket and written down in a way that doesn't clearly reveal them? Or storing them in an encrypted password vault? We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk.Long + unique + write them down securely
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)