Educause Security Discussion mailing list archives
Re: Password Policies for today's knowledge worker
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Wed, 10 Feb 2016 15:26:42 +0000
You can't answer this question outside the context of a specific use case. The answer depends on what is at risk. Are you protecting a 'My favorite color survey' or are you protecting a patient medical record? From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Wednesday, February 10, 2016 9:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Policies for today's knowledge worker This also brings up the question of how often to require the change - at one end you require it every time a person logs in; at the other you never expire the password. How do you balance security with accessibility? How about those back doors that most helpdesks strongly advocate for (favorite ice cream, emergency e-mail, SMS text)? Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Trump Sent: Wednesday, February 10, 2016 6:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password Policies for today's knowledge worker I'd beg to differ. The problem with the Enigma is that the Germans placed 100% confidence in their technology (sound familiar?) and were beaten by the human factor (sound even more familiar?). If you can't detect when an account has been compromised, I'd respectfully suggest that you have bigger issues to worry about. Matthew From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. Emmons Sent: 10 February 2016 11:59 To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password Policies for today's knowledge worker David, I like the response. I'm going to use it the next time I am with the person who asked me the question - I'll let you know how it goes :) Thanks, Larry Larry K. Emmons Director of Technology and Support Services <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu_&d=BQMFAg& c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq36F0 BI5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=wYxZEkI0NiKx qLGpJR2BRkgyhEFHWE7UZP5RcAqexhs&e=> www.svsu.edu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu_its&d=BQMF Ag&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq3 6F0BI5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=DC-Em8zg8 AtXMcSHn_uFooAm7riAiHWU0_HlTDFaDis&e=> www.svsu.edu/its From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Julie Journitz Sent: Tuesday, February 9, 2016 9:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password Policies for today's knowledge worker David, That's a great response. Julianne Journitz Director of Client Services Information Technology Services Pomona College 156 East 7th Street Claremont, California 91711 http://research.pomona.edu/itsecurity/ @pomonahelp On Feb 9, 2016, at 6:00 PM, David Lundy <dlundy () PACIFIC EDU <mailto:dlundy () pacific edu> > wrote: Larry: Because of uncertainty. One does not necessarily know of a compromise. Consider that the Germans lost U-Boats in WWII because they were unaware that Enigma had been compromised. David Lundy ----------------------------------- David Lundy Assistant IT Security Officer University of the Pacific Stockton, CA 95211 Email: dlundy () pacific edu <mailto:dlundy () pacific edu> Voice: 209-946-3951 Fax: 209-946-2898 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. Emmons Sent: Tuesday, February 09, 2016 5:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () listserv educause edu> Subject: Re: [SECURITY] Password Policies for today's knowledge worker Neal, In a similar discussion I was challenged with a question. "Why do I need to change my password?" I went through the typical responses about security and was then asked the same question again. I pondered my dilemma and was then enlightened with a response. I should only have to change my password if it has been compromised. If it hasn't been compromised, why change it? Chicken or egg? Thanks, Larry Director of Technology and Support Services Saginaw Valley State University www.svsu.edu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu&d=BQMFAg&c =6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq36F0B I5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=lZ4pZ4j26dxl3 qS3qFWWq6Jr2BxALnsL85BS3xt_9mo&e=> On Tue, Feb 9, 2016 at 4:28 PM -0800, "Fisch, Neal" <Neal.Fisch () CSUCI EDU <mailto:Neal.Fisch () CSUCI EDU> > wrote: Good afternoon everyone, In today's world of knowledge workers having a multitude of devices used for accessing their work data, I would like know how strict you feel password policies should be to be able to accommodate this plethora of devices, accommodate a seamless password change process, and still be secure. Items of particular interest are password/access controls specifically in regards to acceptable timeframes for password resets and number of failed login attempts. Thanks all! Neal Neal Fisch Director, Enterprise Services and Security Information Security Officer Division of Technology & Communication California State University Channel Islands One University Drive, Camarillo CA 93012 Solano Hall - Room 2178 Email: <mailto:neal.fisch () csuci edu> neal.fisch () csuci edu Voice: 805-437-3278 | Mobile: 805-443-6529 | Fax: 805-437-3377 <image001.jpg>
Attachment:
smime.p7s
Description:
Current thread:
- Password Policies for today's knowledge worker Fisch, Neal (Feb 09)
- Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 09)
- Re: Password Policies for today's knowledge worker David Lundy (Feb 09)
- Re: Password Policies for today's knowledge worker Julie Journitz (Feb 09)
- Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 10)
- Re: Password Policies for today's knowledge worker Matthew Trump (Feb 10)
- Re: Password Policies for today's knowledge worker Shalla, Kevin (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
- Re: Password Policies for today's knowledge worker David Lundy (Feb 09)
- Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 09)
- Re: Password Policies for today's knowledge worker Thomas Carter (Feb 10)
- Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 09)
- <Possible follow-ups>
- Re: Password Policies for today's knowledge worker Brad Judy (Feb 10)