Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Security (more law)

From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Fri, 26 Oct 2007 08:20:24 -0500
At 03:48 PM 10/25/2007, Valdis Kletnieks put fingers to keyboard and wrote:

The average university has an amazing number of employees that do *not*
have a locked desk or similar long-term storage.  Think maintenance crews,
groundskeepers, food service - all those people who are most likely to *not*
be IT-oriented.  If they leave it at home, it's of no use if they're part of
the not-online-yet world.  And if they bring it to work so they can use
a computer on-site, that means "wallet" or "purse".


Here's my take on this.  I was a hard core, never write your password down,
make them complex, kind of guy.  I'm not anymore.  The reality of the situation
is not all passwords are equal.

Supposing I, Joe User, write my password down.  I put it on a sticky, on
my monitor so I won't lose it.  Bad person sees this, and takes advantage
of it.  Alright, that not a good situation, but what's really at risk
here.  Access to my email, and personal information?  We need to accept that
risk, because Joe User has already done so.  Joe probably has applications
set up to remember the password anyway.  Writing it down, and exposing it,
is, IMHO, only slightly more risky.

Now supposing Joe User has access beyond that.  Joe's a DB admin, or
works with finances.  Pick your scenario.  That's where we should care.
Joe has access to more data, and can expose our institutions to greater
risk.  So now if Joe writes his password down we should care, and hopefully
with proper administration of the clue stick, Joe will as well.  ;-)

Anyway, the skinny is all passwords are not equal.  Users don't like
them.  We need to pick our battles so we don't sound so shrill to
the community all the time.

My hope is that at some point two factor will converge, and users
will be able to combine a two factor they need, say it's on their
ATM card, with a password that we enable.  They already understand
the value of protecting their cash.  It would be great if we could
leverage that understanding.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"
Previous By Date Next
Previous By Thread Next

Current thread: