Re: stopping students sharing their login credentials

[Brad Judy <win-hied () BRADJUDY COM>]

I'll agree with the replies that lean towards policy rather than technology
for this case (although the single concurrent login approach might be useful
in some institutions).

There will always be policies that cannot be directly enforced, it's the
basis for most of our laws.  Nothing actually prevents me from committing
most crimes except my values and the fear of consequences.  When you accept
that some individuals' values do not prevent them from doing things your
organization deems bad, then you have to fall to the consequences as a
deterrent.  (Naturally, if you simply feel that people are unaware of the
rule, the reasoning for the rule, or the consequences, then
education/communications are the first step.)

Part one of the consequences is the risk of getting caught.  If no one is
ever caught doing the "bad thing", then the severity of the consequence is
irrelevant.  This implies that there is some monitoring for concurrent
access, unusual access patterns, etc and follow-up with the individual in
question.

Part two is the nature of the consequence.  As many institutions have
implemented an honor code related to cheating, lying, etc; I suggest that
sharing of passwords to grant unauthorized access be considered by your
student judiciary group as an honor code violation, carrying those impacts.
Then you can piggy-back on an existing process and notable set of
consequences.  I hope that, in general, all of you talk with your student
judiciary groups periodically about how IT security violations fit into
their process and I recommend pro-actively discussing how password sharing
fits in and if leveraging the honor code is appropriate.  Of course, these
suggestions only apply to students and students aren't the only people who
share passwords.  Presumably there are other avenues at your institution for
addressing employee misbehavior.

You may have to implement mechanisms to address some known issues with
legitimate foundations like parental access to information, guest access to
wireless networks, etc.  If you make such a rule and don't provide outlets
for legitimate needs, then you'll have either widespread discounting of the
rule or an uproar.

Brad Judy


----- Original Message -----
From: "Russell Fulton" <r.fulton () AUCKLAND AC NZ>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, January 22, 2009 9:25 PM
Subject: [SECURITY] stopping students sharing their login credentials


> Background:
>
> Earlier this week we had an incident where the building security  officer
> noticed a group of unfamiliar people using machines in one of  our labs.
> She asked them for their ID cards and none could (would?)  produce one.
> On questioning they said they were students from a  neighbouring
> institution and that they were using "borrowed" credential.
>
> We have cctv footage and swipe card logs from the door (which may show
> they tail gated someone in).   We are now tracking down which machines
> were being used so we can disable the accounts.
>
> To the point.
>
> We (the security techies) have been asked what measures we can deploy  to
> prevent this sort of thing happening in future.
>
> We already do lots of education, posters, page on the back of the  student
> handbook. Students have no excuse for not knowing that they  should not
> share passwords.
>
> On the social/education side we could make an example of anyone we  finger
> for this (assuming we can make charges stick) in the hope that  this will
> persuade other students not to share their passwords.
>
> Technical solutions seem to revolve around some form of two factor
> authentication.  I.e. something the student has but which they will be
> reluctant to part with for any length of time.  Like their ID card.
>
> Our ID cards have bar codes and classic mag stripe.   Some labs (like
> this one) also have proximity card locks.  Generally only post grad
> students or students in special coursed (like medicine) have proximity
> cards.
>
> Anyway I would very much like to know what other are doing in this  space.
>
> Cheers, Russell