Educause Security Discussion mailing list archives

Re: Password Security

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 23 Oct 2007 11:03:55 -0700

Anyone concerned about liability issues should talk to an attorney in
their jurisdiction.  It may be a known bad practice to write down
passwords and leave them stuck to a monitor or a keyboard, but some
experts do feel that writing passwords down is a good practice (provided
they are kept in a reasonably secure location.)  That experts differ in
their opinions here makes liability a more difficult question.

http://www.schneier.com/blog/archives/2005/06/write_down_your.html

Ascribing to a bad practice may make you liable for negligence, but it
won't change the damages once you're negligent.  Except in egregious
cases where punitive damages come into play, which is unlikely here,
you're liable for the damage caused by your negligent acts.  You're
liability isn't reduced if you're just a little bit negligent or
increased if you're really negligent except to the extent that it causes
more or less damage.

I don't see why prior notice would be an issue here.

Run the proposed ideas by your school's legal counsel and get them to
research the relevant law.

Cheers,

Steven Alexander Jr.
Online Education Systems Manager
Merced College


-----Original Message-----
From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] 
Sent: Tuesday, October 23, 2007 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Security

Simplest argument?

If an employee has identity/assets/benefits stolen as a result of  
theft of one of these cards, there is no shortage of experts who  
could testify -- in a negligence lawsuit against the university --  
that it is known bad practice to write sensitive passwords where they  
can be found.  That could mean increased damages against the  
university from any aggrieved employee.

Oh, and now that this threat is online, any aggrieved employees (or  
their attorneys) will be able to find it to help identify said  
experts and show that the university had prior notice.

So, as with any standard risk management, it is up to university  
authorities to decide if it is worth the risk of losing a messy,  
expensive lawsuit that might be enabled by their policy.

:-)

Current thread:

Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- <Possible follow-ups>
- Re: Password Security Samuel Young (Oct 23)
- Re: Password Security Gary Dobbins (Oct 23)
- Re: Password Security Wyman Miles (Oct 23)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)
- Re: Password Security Paul Russell (Oct 24)
- Re: Password Security Shalla, Kevin (Oct 24)

(Thread continues...)