Educause Security Discussion mailing list archives

Re: Password policy

From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Thu, 2 Nov 2006 12:53:59 -0500

The only way to do that would be to have an enforced policy of storing
no sensitive data on the laptop or have the hard drive / data folder
encrypted. We routinely do forensic examinations that discover ALL the
data on PCs and have no need of a user's passwords in order to get the
data.
-Kevin


Kevin L. McLaughlin
CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
mclaugkl () ucmail uc edu
 
 
 
 
CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.
 

-----Original Message-----
From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
Sent: Wednesday, November 01, 2006 10:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy

A growing number of our users have laptop pc's.

Our concern is protecting the data when the thief has physical 
posession of the computer.

At 09:30 PM 11/1/2006, Jeff Kell wrote:

Geoff Nathan wrote:


But seriously, who's going to try to break into Professor

Snerdwell's

e-mail account with a dictionary attack?  And unless we're worried
about month-long sustained attacks, frequent password changes are

just

annoying without buying additional security.  Making people change
their passwords every ninety days doesn't teach good computer

hygiene,

it annoys them and confirms their impression that the IT people have
nothing better to do.


Hear, hear!

Hackers don't crack passwords anymore, they simply present a
socially-engineered URL for the already-authenticated user to click on
for a drive-by install of the backdoor/keylogger of his choice.

Jeff


Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)

Current thread:

Re: Password policy, (continued)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)