Educause Security Discussion mailing list archives

Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

From: Isabelle Grey <graham () AMERICAN EDU>
Date: Thu, 3 Apr 2014 09:52:51 -0400

On 03/04/14 09:44, Ruth Ginzberg wrote:

Many of us (myself included) commit various "password re-use" sins. (Attention (ISC)2: if you need evidence for
relieving me of my infosec certification here it is)

Look: from a practical point of view: I have been using some version of the Internet since before the Internet per se existed (from that you may
correctly infer that I am a Dinosaur). For all of that time, various entities have been requiring login/password combos to access both
significantly sensitive, secret or confidential ... and also trivial ... data and functionality. I have had to create 100's (maybe even
>1000) of login/password combos in my lifetime, and probably currently still have ~75 that are in some sense "active." Nevermind all
the abandoned or "changed" ones from decades past that are probably stored insecurely Heaven-only-knows-where.

As a mere human -- I do not possess either the creativity or the memory capacity to create and remember that many
different login/password combos, AND to remember if/when I may be re-using something I already used somewhere years or
decades ago.

So I cheat. I have some relatively simple algorithms for creating login/password combos that exist only in my head, but I
have no illusions about those algorithms being so complex that they couldn't easily be derived if some malicious actor
had a few examples of them to work with.

As I get older, my "cheating" is getting less and less complicated and probably more and more obvious.

The reason I am only mildly concerned about this is because if a login/password (which is, after all, only single, not multi-
factor authentication) is the only thing standing between me and some nefarious data thief ... I figure I'm already s****ed
and probably shouldn't be using that site / service at all.

Ruth Ginzberg, CISSP, CTPS

Sr. I.T. Procurement Specialist
University of Wisconsin System

rginzberg () uwsa edu
608-890-3961

This is exactly the sort of challenge (creating different and securepassword and remembering them) that password managers (LastPass,KeePass, Password Safe) address. The difficulty I've found is in gettingusers to actually use them, though when I've been able to convey thebenefits I've had some success.

--
Isabelle Grey
Information Security
American University

Current thread:

Re: Security Awareness Programs, (continued)
- - - Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
    - Re: Security Awareness Programs Mike Cunningham (Apr 02)
    - Re: Security Awareness Programs Hall, Rand (Apr 03)
    - Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Security Awareness Programs Joel L. Rosenblatt (Apr 02)
- Re: Security Awareness Programs Ben Woelk (Apr 02)
- Re: Security Awareness Programs Shane Williams (Apr 02)
  - Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
  - Re: Security Awareness Programs Gene Spafford (Apr 02)