Educause Security Discussion mailing list archives
Re: Password Security (more law)
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Fri, 26 Oct 2007 08:20:24 -0500
At 03:48 PM 10/25/2007, Valdis Kletnieks put fingers to keyboard and wrote:
The average university has an amazing number of employees that do *not* have a locked desk or similar long-term storage. Think maintenance crews, groundskeepers, food service - all those people who are most likely to *not* be IT-oriented. If they leave it at home, it's of no use if they're part of the not-online-yet world. And if they bring it to work so they can use a computer on-site, that means "wallet" or "purse".
Here's my take on this. I was a hard core, never write your password down, make them complex, kind of guy. I'm not anymore. The reality of the situation is not all passwords are equal. Supposing I, Joe User, write my password down. I put it on a sticky, on my monitor so I won't lose it. Bad person sees this, and takes advantage of it. Alright, that not a good situation, but what's really at risk here. Access to my email, and personal information? We need to accept that risk, because Joe User has already done so. Joe probably has applications set up to remember the password anyway. Writing it down, and exposing it, is, IMHO, only slightly more risky. Now supposing Joe User has access beyond that. Joe's a DB admin, or works with finances. Pick your scenario. That's where we should care. Joe has access to more data, and can expose our institutions to greater risk. So now if Joe writes his password down we should care, and hopefully with proper administration of the clue stick, Joe will as well. ;-) Anyway, the skinny is all passwords are not equal. Users don't like them. We need to pick our battles so we don't sound so shrill to the community all the time. My hope is that at some point two factor will converge, and users will be able to combine a two factor they need, say it's on their ATM card, with a password that we enable. They already understand the value of protecting their cash. It would be great if we could leverage that understanding. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password Security (more law) Steven Alexander (Oct 25)
- <Possible follow-ups>
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Lee Weers (Oct 25)
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Roger Safian (Oct 26)