Educause Security Discussion mailing list archives
Re: Password policy
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Thu, 2 Nov 2006 12:53:59 -0500
The only way to do that would be to have an enforced policy of storing no sensitive data on the laptop or have the hard drive / data folder encrypted. We routinely do forensic examinations that discover ALL the data on PCs and have no need of a user's passwords in order to get the data. -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. -----Original Message----- From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Wednesday, November 01, 2006 10:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy A growing number of our users have laptop pc's. Our concern is protecting the data when the thief has physical posession of the computer. At 09:30 PM 11/1/2006, Jeff Kell wrote:
Geoff Nathan wrote:But seriously, who's going to try to break into Professor
Snerdwell's
e-mail account with a dictionary attack? And unless we're worried about month-long sustained attacks, frequent password changes are
just
annoying without buying additional security. Making people change their passwords every ninety days doesn't teach good computer
hygiene,
it annoys them and confirms their impression that the IT people have nothing better to do.Hear, hear! Hackers don't crack passwords anymore, they simply present a socially-engineered URL for the already-authenticated user to click on for a drive-by install of the backdoor/keylogger of his choice. Jeff
Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)