Educause Security Discussion mailing list archives

Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236)

From: Kevin Shalla <kshalla () UIC EDU>
Date: Sun, 18 Oct 2009 10:56:00 -0500

That sounds really handy, but  I'd be afraid that the system
administrator at that web site would have back-door access to all
your passwords.

At 06:15 PM 10/17/2009, Gary Dobbins wrote:

Has anyone else tried lastpass (.com)?  I've found it to be an
option for handling these problems.  It will randomly generate
passwords, remember them all, one for each place you visit, and
(presuming their answers to how they handle the data are true) the
storehouse of your passwords never leaves your computer unencrypted
by a master password only you know.

I'd be interested to hear if others find this valid, or if the
service has a serious Achilles Heel.



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan
> Sent: Saturday, October 17, 2009 6:37 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] SECURITY Digest - 15 Oct 2009 to 16 Oct
2009 (#2009-
> 236)
>
> Matt said:
>
> >I tend use truly random passwords from a
> >generator or those similar in style to what Don
> >mentioned.
>
> It's of course ideal to use long, random, meaningless strings as
passwords. It's
> also ideal to have a different password for each application
(server, e-mail,
> banking site, etc. etc.) that we log into. But I have two e-mail
accounts (three if
> we include the one that AT&T gives me as part of my home setup), a Wayne
> State single sign-on password, my bank, my credit card, my
retirement accounts,
> and then the less risky ones like Amazon, Zagat, Cooks
Illustrated, Tripit, and I
> could go on (as in fact I have...)
> It's simply impossible to remember all these, unless I repeat the
passwords, or
> use a password wallet (which itself is clumsy, and requires its
own password). As
> others have said, the password paradigm is broken, and, as long
as two-factor is
> too expensive we're going to continue to have trouble, and it's
not the users'
> fault. We can't ask them to do twelve impossible things before
breakfast and slap
> their wrists when they don't. Eventually they will slap back, and
they will be
> right.
>
> Geoffrey S. Nathan
> Faculty Liaison, C&IT

Current thread:

Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Geoff Nathan (Oct 17)
- <Possible follow-ups>
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Gary Dobbins (Oct 17)
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Kevin Shalla (Oct 18)
- Re: SECURITY Digest - 15 Oct 2009 to 16 Oct 2009 (#2009-236) Gary Dobbins (Oct 18)