Educause Security Discussion mailing list archives

Re: Please do not change your password

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Fri, 16 Apr 2010 08:44:59 -0700

So think outside the box.  

Building on the previous example (BigCity Tall boys) you could have:
BigCity Tall boys phone
BigCity Tall boys insurance
November Yankee Giants 42 paypal
November Yankee Giants visacard
November Yankee Giants amazon

Each is unique and easy to remember.  I have 179 passwords in my password safe and most are unique.  I do have a throw 
away password for the web sites that make you register to get the driver, whitepaper, etc.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tonkin, Derek K
Sent: Friday, April 16, 2010 7:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

Which is I said at the end you could create three levels or maybe four
but, for instance, I could decide to treat my passwords for my cell
provider, insurance company, and paypal the same and use one password
for all of my online sites that have no monetary component.  It still
reduces the overhead.

Derek Tonkin

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Friday, April 16, 2010 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

* PGP Signed by an unknown key

On Fri, 16 Apr 2010 08:49:01 CDT, "Tonkin, Derek K" said:

I think a lot of the confusion and difficulty could be reduced by

losing the

thinking that each password bif I'm responsible, needs to be

differentb.  I

think this is one of those areas where the cost vs. risk mitigated is

badly out

of balance.  Youbve clearly established that you basically have two

sets of

information, sensitive and non-sensitive.  To me that would indicate

the need

for two passwords.


Except that in most cases, the "sensitive" information can't be treated
as
"sensitive to the same constituency", so it can't be blindly lumped
together as "two sets of info".

* Unknown Key
* 0xB4D3D7B0

Current thread:

Re: Please do not change your password, (continued)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)