Educause Security Discussion mailing list archives
Re: Password Security
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Tue, 23 Oct 2007 12:22:02 -0600
Gene has done what we should always do in this sort of situation, look at the risks and consequences and assess the impact of failure. There is a more subtle failure at the root of this question, that is the encouragement to act in a manner that is insecure, thus propagating inferior practice. It builds upon a culture immune to security as a significant daily priority. That being said there are those in our community with significant experience and clout suggesting just as an early responder did, that writing down passwords is the lesser of two evils. In this case damned if you do and damned if you don't - one is a continual incremental operational drain, the other is the potential of a large-scale public event and terrible publicity not to mention possible fines and even criminal liability. This simply goes to prove that the password alone as a security construct is horribly broken. We have to move on to simple two-factor solutions or we will never nip this problem adequately. Key-loggers, shoulder surfers, insider criminals and on and on will continue to exploit the weaknesses of a typed secret. Just think about those cash cards in your pocket - a very simple key is possible because it is combined with possession of something that is difficult to attain. (Not saying this is a perfect model, just a whole lot better than remembering 132 complex and constantly changing passwords.) We really need to get more corporate in this aspect - some sort of ID/Badge/Token/USB Key/proximity device/something plus a simple password for every constituent. Now that bad officemate has not only to learn the code, he or she has to actually steal the other half of the credential, something that places the constraint of possibly being seen or caught into the picture, and something that eliminates the vast majority of the potential remote attackers from gaining significant authority. Perhaps Gene has at his fingertips some sort of cost comparison of the cumulative repetitive support and breach issues vs. the cost of implementing two-factor systems today? (I wouldn't put it past him, he's always got loads of insightful data!) It's got to be getting more even these days. One can dream, can't one? I know auditors have been castigated throughout history for making this type of recommendation, and I've avoided it for years (as it really was too expensive and complicated to be practical), but the truth is it is finally becoming affordable, and the public outcry is getting great enough, and the risk is proving wide-spread enough to make the message germane. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] Sent: Tuesday, October 23, 2007 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Security Simplest argument? If an employee has identity/assets/benefits stolen as a result of theft of one of these cards, there is no shortage of experts who could testify -- in a negligence lawsuit against the university -- that it is known bad practice to write sensitive passwords where they can be found. That could mean increased damages against the university from any aggrieved employee. Oh, and now that this threat is online, any aggrieved employees (or their attorneys) will be able to find it to help identify said experts and show that the university had prior notice. So, as with any standard risk management, it is up to university authorities to decide if it is worth the risk of losing a messy, expensive lawsuit that might be enabled by their policy. :-)
Current thread:
- Re: Password Security, (continued)
- Re: Password Security Samuel Young (Oct 23)
- Re: Password Security Gary Dobbins (Oct 23)
- Re: Password Security Wyman Miles (Oct 23)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)
- Re: Password Security Paul Russell (Oct 24)
- Re: Password Security Shalla, Kevin (Oct 24)
- Re: Password Security Gary Dobbins (Oct 24)
(Thread continues...)