Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Andrea Beesing <amb3 () CORNELL EDU>
Date: Sun, 25 Nov 2007 19:28:47 -0500

Eric,

This statement was the subject of some debate among staff who
participated in the drafting of the university policy, the final version
of which is still pending. In the current draft the wording has been
changed to better capture the intent:

"To avoid unauthorized access to IT resources, users must apply the following rules for using passwords associated with 
a Cornell electronic identifier:

--Store the password in a secure location
--Do not collect passwords from others or store them anywhere"

Although not part of the policy per se, but discussed as an
implementation detail, is a set of recommendations for users who find it
necessary to store their own passwords somewhere for retrieval later.
The use of specific encryption tools could be included in the
recommendations.  I expect that as we approach completion of the policy
over the next several weeks we'll re-open this discussion. It' possible
that the above wording will be refined as well.

Andrea Beesing
Asst Dir, IT Security
Cornell Information Technologies
120 Maple Ave.
Ithaca, NY   14853
607 254-7441

Eric Case wrote:

At 04:35 PM 11/20/2007 -0500, Andrea Beesing wrote:

I am sending you a link to an interim policy which includes
information about our current password standard. When we implemented
the password complexity rules we chose not to include password
aging/expiration.
It's very possible that this decision could be revisited in the
future as we refine our approach to data classification and security.

http://www.cit.cornell.edu/policy/interim/AuthenticationITR.html


     It says "The password must never be shared, written down, or
stored in electronic form."  Does that mean programs like Password
Safe can't be used to store an encrypted password?  What about the
authentication itself?  It stores the encrypted password in electronic
form.
-Eric


Eric Case, CISSP  <ecase () Arizona edu>
Information Security Officer
College of Engineering   <http://www.Engr.Arizona.edu>
1127 E James E. Rogers Way Room 200
Tucson, AZ 85721-0020
Mobile Phone 520-275-6436


--


Andrea Beesing
Asst Dir, IT Security
Cornell Information Technologies
120 Maple Ave.
Ithaca, NY   14853
607 254-7441

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)