Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Kees Leune <LEUNE () ADELPHI EDU>
Date: Mon, 26 Nov 2007 13:48:45 -0500

On 11/21/2007 at 7:32 PM, in message

<20071122003256.2A52E27B115 () smtpgate email arizona edu>, Eric Case
<ecase () EMAIL ARIZONA EDU> wrote:

At 04:35 PM 11/20/2007 -0500, Andrea Beesing wrote:

I am sending you a link to an interim policy which includes 
information about our current password standard. When we implemented 
the password complexity rules we chose not to include password 
aging/expiration.
It's very possible that this decision could be revisited in the 
future as we refine our approach to data classification and security.

http://www.cit.cornell.edu/policy/interim/AuthenticationITR.html


      It says "The password must never be shared, written down, or 
stored in electronic form."  Does that mean programs like Password 
Safe can't be used to store an encrypted password?  What about the 
authentication itself?  It stores the encrypted password in electronic form.
-Eric


I have a problem with this too. Auditors write such statements too easily, in my opinion. I have no problem with 
writing down passwords, provided

1) they are stored in a secure location (wallet, password safe, physical safe, etc), and
2) the corresponding system and/or login is not written down and stored in the same location.

I would much rather see users pick a good password that they write down, keep secure and change once or twice per year, 
than use a password that is so simple that they don't have to write it down, and change every 30-90 days. Of course, 
picking a good password that they do not write down is still preferred (actually; get rid of passwords and use decent 
authentication would be even better). 

The above only applies to passwords that give access to non-privileged systems; when it comes to passwords that are 
used to obtain privileged access, maintenance passwords, or passwords that are used by automated processes, the story 
obviously changes and more stringent measures can be put in place.

-Kees
-- 

Dr. Kees Leune CISSP
Information Security Officer
Adelphi University
Garden City, NY 11530 
+1 (516) 877-3936

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)