Educause Security Discussion mailing list archives

Re: Password Security

From: David Seidl <dseidl () ND EDU>
Date: Tue, 23 Oct 2007 16:25:16 -0400

I ran into Gary in the hall and mentioned what I tell people who can't
remember passwords/passphrases, and who can't or won't use a Password
Safe style application.

The spiel goes something like this:

If you can't remember your passphrases, then you should write down part,
and remember the rest. A list of phrases with a common key portion
missing is quite reasonable as long as it isn't easily reverse
engineered. The incidence of losing both your wallet, and having someone
learn your keyphrase is likely to be very low unless you're in the bad
habit of muttering as you type it...

If you do lose the battle over the cards, turn it into a user education
opportunity - "How many of you in this room have lost your wallet, or
had it stolen?"  followed by "Who has their complete password written
down in their wallet next to their university ID card?" should be a
winning combination.

David
--
------------------------------------------------------------
David Seidl, CISSP
University of Notre Dame, Office of Information Technologies

Gary Dobbins wrote:

The legendary advice "never write passwords down" originated from the days
when officemates were among the major threats, 3270 terminals were new, and
post-it notes soon became the classic example of that threat vector.

Now that the Internet is the usual vector for password attack, IMO having a
stronger password is very important, even if they have to keep a copy in
their wallet (or somewhere reasonably safe) because it's not memorable.

The risk here depends on the value of the asset being protected by that
password, and whether these people are likely to choose bad (but memorable)
passwords if they are prohibited from writing them down.  Let's presume the
asset is not of unusual value.  If it were, it may be too permissive to let
them write passwords.

If the asset is not unusual, I would ensure that the passwords are strong,
then let them keep them in their wallet, especially if they're infrequent
users.  You'll save everyone "lost password" headaches, and fewer of their
accounts will end up in the hands of hostile-persons across the net.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Password Security, (continued)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)
- Re: Password Security Paul Russell (Oct 24)
- Re: Password Security Shalla, Kevin (Oct 24)
- Re: Password Security Gary Dobbins (Oct 24)
- Re: Password Security Valdis Kletnieks (Oct 25)
- Re: Password Security Scholz, Greg (Oct 25)