Educause Security Discussion mailing list archives

Re: Password Security

From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Tue, 23 Oct 2007 13:57:58 -0400

Thanks Gene.  As always I appreciate your view and response on items!

One of my biggest fears is to have one of the national news agencies show
this card on TV and then pan to a shot of me where they proceed to ask the
question "why did your department allow the University to do this".....  my
second biggest fear is having to answer the same question from anyone who
was the victim of a crime due to someone stealing their "password card".


-Kevin


Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)





CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.



-----Original Message-----
From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU]
Sent: Tuesday, October 23, 2007 1:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Security

Simplest argument?

If an employee has identity/assets/benefits stolen as a result of
theft of one of these cards, there is no shortage of experts who
could testify -- in a negligence lawsuit against the university --
that it is known bad practice to write sensitive passwords where they
can be found.  That could mean increased damages against the
university from any aggrieved employee.

Oh, and now that this threat is online, any aggrieved employees (or
their attorneys) will be able to find it to help identify said
experts and show that the university had prior notice.

So, as with any standard risk management, it is up to university
authorities to decide if it is worth the risk of losing a messy,
expensive lawsuit that might be enabled by their policy.

:-)

Attachment: smime.p7s
Description:

Current thread:

Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- <Possible follow-ups>
- Re: Password Security Samuel Young (Oct 23)
- Re: Password Security Gary Dobbins (Oct 23)
- Re: Password Security Wyman Miles (Oct 23)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)

(Thread continues...)