Educause Security Discussion mailing list archives
Re: stopping students sharing their login credentials
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Fri, 23 Jan 2009 11:57:25 -0500
I'll agree with the replies that lean towards policy rather than technology for this case (although the single concurrent login approach might be useful in some institutions). There will always be policies that cannot be directly enforced, it's the basis for most of our laws. Nothing actually prevents me from committing most crimes except my values and the fear of consequences. When you accept that some individuals' values do not prevent them from doing things your organization deems bad, then you have to fall to the consequences as a deterrent. (Naturally, if you simply feel that people are unaware of the rule, the reasoning for the rule, or the consequences, then education/communications are the first step.) Part one of the consequences is the risk of getting caught. If no one is ever caught doing the "bad thing", then the severity of the consequence is irrelevant. This implies that there is some monitoring for concurrent access, unusual access patterns, etc and follow-up with the individual in question. Part two is the nature of the consequence. As many institutions have implemented an honor code related to cheating, lying, etc; I suggest that sharing of passwords to grant unauthorized access be considered by your student judiciary group as an honor code violation, carrying those impacts. Then you can piggy-back on an existing process and notable set of consequences. I hope that, in general, all of you talk with your student judiciary groups periodically about how IT security violations fit into their process and I recommend pro-actively discussing how password sharing fits in and if leveraging the honor code is appropriate. Of course, these suggestions only apply to students and students aren't the only people who share passwords. Presumably there are other avenues at your institution for addressing employee misbehavior. You may have to implement mechanisms to address some known issues with legitimate foundations like parental access to information, guest access to wireless networks, etc. If you make such a rule and don't provide outlets for legitimate needs, then you'll have either widespread discounting of the rule or an uproar. Brad Judy ----- Original Message ----- From: "Russell Fulton" <r.fulton () AUCKLAND AC NZ> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Thursday, January 22, 2009 9:25 PM Subject: [SECURITY] stopping students sharing their login credentials
Background: Earlier this week we had an incident where the building security officer noticed a group of unfamiliar people using machines in one of our labs. She asked them for their ID cards and none could (would?) produce one. On questioning they said they were students from a neighbouring institution and that they were using "borrowed" credential. We have cctv footage and swipe card logs from the door (which may show they tail gated someone in). We are now tracking down which machines were being used so we can disable the accounts. To the point. We (the security techies) have been asked what measures we can deploy to prevent this sort of thing happening in future. We already do lots of education, posters, page on the back of the student handbook. Students have no excuse for not knowing that they should not share passwords. On the social/education side we could make an example of anyone we finger for this (assuming we can make charges stick) in the hope that this will persuade other students not to share their passwords. Technical solutions seem to revolve around some form of two factor authentication. I.e. something the student has but which they will be reluctant to part with for any length of time. Like their ID card. Our ID cards have bar codes and classic mag stripe. Some labs (like this one) also have proximity card locks. Generally only post grad students or students in special coursed (like medicine) have proximity cards. Anyway I would very much like to know what other are doing in this space. Cheers, Russell
Current thread:
- Re: stopping students sharing their login credentials, (continued)
- Re: stopping students sharing their login credentials Mike Wiseman (Jan 23)
- Re: stopping students sharing their login credentials randy marchany (Jan 23)
- Re: stopping students sharing their login credentials James M. Dutcher - Assoc. VP IS/IT & CIO (Jan 23)
- Re: stopping students sharing their login credentials Christopher Jones (Jan 23)
- Re: stopping students sharing their login credentials randy marchany (Jan 23)
- Re: stopping students sharing their login credentials Mike Wiseman (Jan 23)
- Re: stopping students sharing their login credentials Charlie Reitsma (Jan 23)
- Re: stopping students sharing their login credentials Neil Sindicich (Jan 23)
- Re: stopping students sharing their login credentials Barros, Jacob (Jan 23)
- Re: stopping students sharing their login credentials Basgen, Brian (Jan 23)
- Re: stopping students sharing their login credentials Brad Judy (Jan 23)
- Re: stopping students sharing their login credentials Charlie Reitsma (Jan 23)
- Re: stopping students sharing their login credentials Gary Flynn (Jan 23)
- Re: stopping students sharing their login credentials Valdis Kletnieks (Jan 23)
- Re: stopping students sharing their login credentials Neil Sindicich (Jan 25)
- Re: stopping students sharing their login credentials James M. Dutcher - Assoc of IS/IT & CIO (Jan 25)