Educause Security Discussion mailing list archives
Re: Password Management Policy & Standards
From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 26 Feb 2016 15:09:50 +0000
If the password is used to control the second factor, then you donĀ¹t have a second factor. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu <http://www.cu.edu/> On 2/26/16, 5:09 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Bradner, Scott" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of sob () HARVARD EDU> wrote:
you could care if the password is compromised if the password is used to enable or otherwise control the 2nd factor ScottOn Feb 26, 2016, at 7:02 AM, Mark I. Berman <mberman () SIENA EDU> wrote: Joanna, So what you're saying is that the reason to expire passwords is to make the accountants happy rather than any rational balancing of risk/reward? I think I probably agree with you. We just had a discussion here about whether we need to worry about password expiration and complexity so much if we move to two factor authentication. One thing that was brought up is that we might not even know if a password is compromised since the bad-guy still wouldn't be able to get in, lacking the second factor. And do we care at that point that the password was compromised. Two factor auth certainly seems to throw a monkey wrench into the question of how important complex and frequently changed passwords really are! - Mark -- Mark Berman, Chief Information Officer Siena College 515 Loudon Road Loudonville, NY 12211 (518)782-6957, Fax: (518)783-2590
Current thread:
- Password Management Policy & Standards Carlos Lobato (Feb 24)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- Re: Password Management Policy & Standards Joanna Grama (Feb 25)
- Re: Password Management Policy & Standards Von Welch (Feb 25)
- <Possible follow-ups>
- Re: Password Management Policy & Standards Mark I. Berman (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Mark Borrie (Feb 28)
- Re: Password Management Policy & Standards Joanna Grama (Feb 26)
- Re: Password Management Policy & Standards Brad Judy (Feb 26)
- Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
- Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
- Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
- Re: Password Management Policy & Standards Frank Barton (Feb 26)
- Re: Password Management Policy & Standards Dan Sarazen (Feb 26)