Re: Password Policies for today's knowledge worker

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

You can't answer this question outside the context of a specific use case.
The answer depends on what is at risk.

Are you protecting a 'My favorite color survey' or are you protecting a
patient medical record?

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin
Sent: Wednesday, February 10, 2016 9:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

 

This also brings up the question of how often to require the change - at one
end you require it every time a person logs in; at the other you never
expire the password. How do you balance security with accessibility? How
about those back doors that most helpdesks strongly advocate for (favorite
ice cream, emergency e-mail, SMS text)?

 

Kevin

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Trump
Sent: Wednesday, February 10, 2016 6:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

 

I'd beg to differ.  

 

The problem with the Enigma is that the Germans placed 100% confidence in
their technology (sound familiar?) and were beaten by the human factor
(sound even more familiar?).

 

If you can't detect when an account has been compromised, I'd respectfully
suggest that you have bigger issues to worry about.

 

Matthew

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. Emmons
Sent: 10 February 2016 11:59
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

 

David,

 

I like the response.  I'm going to use it the next time I am with the person
who asked me the question - I'll let you know how it goes :)

 

Thanks,

Larry

 

Larry K. Emmons

Director of Technology and Support Services

 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu_&d=BQMFAg&;
c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq36F0
BI5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=wYxZEkI0NiKx
qLGpJR2BRkgyhEFHWE7UZP5RcAqexhs&e=> www.svsu.edu

 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu_its&d=BQMF
Ag&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq3
6F0BI5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=DC-Em8zg8
AtXMcSHn_uFooAm7riAiHWU0_HlTDFaDis&e=> www.svsu.edu/its 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Julie Journitz
Sent: Tuesday, February 9, 2016 9:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

 

David,

 

That's a great response.

 

 

Julianne Journitz

Director of Client Services

Information Technology Services

Pomona College

156 East 7th Street

Claremont, California 91711

http://research.pomona.edu/itsecurity/

@pomonahelp


On Feb 9, 2016, at 6:00 PM, David Lundy <dlundy () PACIFIC EDU
<mailto:dlundy () pacific edu> > wrote:

Larry:

      Because of uncertainty.  One does not necessarily know of a
compromise.  Consider that the Germans lost U-Boats in WWII because they
were unaware that Enigma had been compromised.

 

David Lundy

-----------------------------------

David Lundy

Assistant IT Security Officer

University of the Pacific

Stockton, CA 95211

Email: dlundy () pacific edu <mailto:dlundy () pacific edu> 

Voice: 209-946-3951

Fax: 209-946-2898

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. Emmons
Sent: Tuesday, February 09, 2016 5:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () listserv educause edu> 
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

 

Neal,

 

In a similar discussion I was challenged with a question. "Why do I need to
change my password?"  I went through the typical responses about security
and was then asked the same question again.  I pondered my dilemma and was
then enlightened with a response.  I should only have to change my password
if it has been compromised.  If it hasn't been compromised, why change it?

 

Chicken or egg?

Thanks,
Larry

Director of Technology and Support Services
Saginaw Valley State University
www.svsu.edu
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.svsu.edu&d=BQMFAg&c
=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq36F0B
I5_Zpblz7C5LhM&m=rnra4uBgsKPloyFqgTXtC_WaXFfsA4Bi-Uw7KAGcnAo&s=lZ4pZ4j26dxl3
qS3qFWWq6Jr2BxALnsL85BS3xt_9mo&e=> 

 

 

On Tue, Feb 9, 2016 at 4:28 PM -0800, "Fisch, Neal" <Neal.Fisch () CSUCI EDU
<mailto:Neal.Fisch () CSUCI EDU> > wrote:

 

Good afternoon everyone,

 

In today's world of knowledge workers having a multitude of devices used for
accessing their work data, I would like know how strict you feel password
policies should be to be able to accommodate this plethora of devices,
accommodate a seamless password change process, and still be secure.  Items
of particular interest are password/access controls specifically in regards
to acceptable timeframes for password resets and number of failed login
attempts.

 

Thanks all!

 

Neal

 

Neal Fisch

Director, Enterprise Services and Security        

Information Security Officer

Division of Technology & Communication

California State University Channel Islands

One University Drive, Camarillo CA 93012

Solano Hall - Room 2178

 

Email:   <mailto:neal.fisch () csuci edu> neal.fisch () csuci edu

Voice:  805-437-3278 | Mobile:  805-443-6529 | Fax:  805-437-3377

<image001.jpg>

Attachment: smime.p7s
Description: