Educause Security Discussion mailing list archives
Re: For IP; Re: good read: Please do not change your password
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Wed, 21 Apr 2010 21:47:05 -0400
This is a little delayed -- sorry. On Apr 16, 2010, at 4:11 PM, Stephen John Smoogen wrote:
On Fri, Apr 16, 2010 at 9:55 AM, Gene Spafford <spaf () cerias purdue edu> wrote:I posted this back in 2006. It is germane to this discussion: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/I will say that when I first read this in 2006 I was against it. Well, I was bombarded with 20 forwards of it when it came out as we were doing our 90 day change of passwords by the next one I think it went to 200....
Ouch! Sorry, about that. I had no idea so many people have actually ready some of my blog posts!
1) Its not the message that Dr Spafford wrote, but how the letters forwarded them. Usually with a snide comment about how it is clear IT/IS were idiots and Gene Spafford agreed with them. Of course, I think that sets a bad precedent and makes the IT person getting it much less to agree with Dr Spafford's advice.
Yes, and it is contrary to how I would express it! The people with the change policies are trying to do the right thing, and that does not make them idiots. But many security people set policies that annoy users without (a) understanding the basics of the policies, and (b) explain it to the users in a way that encourages them to be part of the solution.
.... Me I recommend that
if you are a security person stuck in a passive aggressive place... go find a better job elsewhere.
This parallels one of my older aphorisms -- which, restated, is that if you have security responsibility but no matching authority, then your role is to take the blame and it is best to move on before that happens.
Current thread:
- For IP; Re: good read: Please do not change your password Gene Spafford (Apr 16)
- <Possible follow-ups>
- Re: For IP; Re: good read: Please do not change your password Stephen John Smoogen (Apr 16)
- Re: For IP; Re: good read: Please do not change your password Russell Fulton (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Don Cochran (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Gene Spafford (Apr 21)
- Re: For IP; Re: good read: Please do not change your password Vik Solem (Apr 23)