Re: Please do not change your password

[Allison Dolan <adolan () MIT EDU>]

Of course you don't put them all under P - they are each on their own  
card, under the appropriate letter (B for bank, I for Investments, etc)

......Allison  Dolan (617-252-1461)



On Apr 15, 2010, at 10:03 PM, Eric Case wrote:

> At least they did not file their passwords in their rolodex under P  
> on a card marked passwords with all the passwords, user names and  
> systems they went with.
> -Eric
>
>
>
> Eric Case, CISSP
> eric (at) ericcase (dot) com
> http://www.linkedin.com/in/ericcase
>
> From: The EDUCAUSE Security Constituent Group Listserv  
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Kendall
> Sent: Thursday, April 15, 2010 9:34 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> There are those of us in the security profession who have advocated  
> this for a long time. However, users also have a tendency to write  
> their password down with every intention of putting it away  
> securely, and then get distracted or otherwise get busy and leave  
> it on the desk or in the desk drawer. Hence the tendency away from  
> writing it down.
>
> Something you may not have thought about: several years ago  
> (mainframe green-screen days) we had a situation where we just  
> absolutely knew this individual was writing down their password.  
> Searched all over, could not find it. So one of my team discreetly  
> watched as they logged in one day. They entered username, and the  
> adjusted the monitor slightly. That’s when he saw it – written in  
> the dust on the screen.
>
> Password vaults are generally a better way to do this, providing  
> users will actually use them.
>
> Paul
> ========================================
> Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP
> Senior Consultant
> Accudata Systems, Inc.
>
> From: The EDUCAUSE Security Constituent Group Listserv  
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
> Sent: Thursday, April 15, 2010 11:05 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> good point!    given the number of security professionals who write  
> down passwords, this is a case of 'do as I say, not as I do'...
>
> ......Allison  Dolan (617-252-1461)
>
>
>
>
> On Apr 15, 2010, at 11:24 AM, Steve Werby wrote:
>
>
> I consider the biggest password related failure of the information  
> security community to be that we demand that users memorize their  
> passwords (or alternately "don't write them down").  Sure, we don't  
> want them to attach them to their monitor or hide them under their  
> keyboard, but do we really believe there's a significant risk if  
> they're kept in their wallet inside their pocket and written down  
> in a way that doesn't clearly reveal them?  Or storing them in an  
> encrypted password vault?  We're causing them to re-use passwords  
> (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or  
> create passwords that follow a similar format, which puts the  
> systems we're trying to protect at significant risk.
>
> Long + unique + write them down securely