Re: Password Security

[Gary Dobbins <dobbins () ND EDU>]

The legendary advice "never write passwords down" originated from the days
when officemates were among the major threats, 3270 terminals were new, and
post-it notes soon became the classic example of that threat vector.

Now that the Internet is the usual vector for password attack, IMO having a
stronger password is very important, even if they have to keep a copy in
their wallet (or somewhere reasonably safe) because it's not memorable.

The risk here depends on the value of the asset being protected by that
password, and whether these people are likely to choose bad (but memorable)
passwords if they are prohibited from writing them down.  Let's presume the
asset is not of unusual value.  If it were, it may be too permissive to let
them write passwords.

If the asset is not unusual, I would ensure that the passwords are strong,
then let them keep them in their wallet, especially if they're infrequent
users.  You'll save everyone "lost password" headaches, and fewer of their
accounts will end up in the hands of hostile-persons across the net.



> -----Original Message-----
> From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
> Sent: Tuesday, October 23, 2007 12:43 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Password Security
>
> Hi All:
>
> I am currently fighting an internal battle and wanted to do a sanity
> check
> to see if I am being too stubborn with my stance.
>
> Scenario:
>
> I have a department that wants to give their employees information on
> business sized cards.  There is a slot on the card for people to write
> down
> their passwords to their payroll and annual benefits account.  The idea
> is
> for the less computer literate staff to be able to keep these handy (in
> their wallets or purses let's say) so that they can refer to them as
> needed.
>
>
> For years we have been teaching people to not write their passwords
> down and
> while some people may do this on their own I feel that by telling them
> to do
> something that is so "anti-best practice" we are increasing our overall
> liability if any of these accounts are breached.  Btw - I have
> discussed
> many alternative approaches with the department - none of which they
> are
> interested in hearing.
>
> Thoughts?  (can be directed to me personally vs. the listserve if you
> prefer)
>
> -Kevin
>
>
> Kevin L. McLaughlin
> CISM, CISSP, PMP, ITIL Master Certified
> Director, Information Security
> University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> 513-558-ISEC (department)
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is
> confidential,
> intended solely for the addressee, and may be legally privileged.
> Access to
> this message and its content by any individual or entity other than
> those
> identified in this message is unauthorized. If you are not the intended
> recipient, any disclosure, copying or distribution of this e-mail may
> be
> unlawful. Any action taken or omitted due to the content of this
> message is
> prohibited and may be unlawful.