Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Mike Cunningham <mike.cunningham () PCT EDU>
Date: Thu, 3 Apr 2014 15:09:51 +0000
To expand on the "annoyance" comment.. We all will accept a new student, create them an account, set an initial password, have them change it on first use to one of their choosing, All is well and good in the world. Then they come on campus... They connect their laptop to wireless which embeds the password in the device. They connect their phone to wireless which embeds the password in the device They setup activesync on their phone which embeds the password in the app They connect their tablet to wireless which embeds the password in the device They setup activesync on their tablet which embeds the password in the app They connect their IPTV to wireless which embeds the password in the device They connect their game console to wireless which (might) embed the password in the device Two months later we make them change their password and the chaos begins. They don't remember all the places they used their password and those devices then try top connect, over and over again, and eventually disable the account. Student tries to logon using the new password and can't. The student calls the helpdesk to report then can't logon and the first thing the helpdesk does is reset the password. And the cycle continues. If the student does think about then need to change the wireless device password they almost always forget that activesync needs changed too. One recent incident we had it took almost three weeks to get a student back to normal because they had used a parents phone to setup their email account and forget they did that. And in another couple of months that will all happen again -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian Sent: Thursday, April 03, 2014 8:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs
Ultimately, I'm not finding the benefit strong enough to move me from my core belief that it's not worth the usability trade-off and we should instead be focusing energy getting users to use password managers. But I admit that's subjective.
I'm not sure that password managers will take off. The whole password system is little more than an annoyance to most users, and until that changes, we're just expending a lot of energy, mostly needlessly. That being said, I'm pinning my hopes on multi-factor authentication. Maybe one of us will get lucky.
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- <Possible follow-ups>
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Joe St Sauver (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)