Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 19 Mar 2010 12:04:37 +1300
sent via Iron port test set up. Please report any oddities :) On 18/03/2010, at 3:56 AM, Joe St Sauver wrote:
Regarding passwords, Russell Fulton <r.fulton () AUCKLAND AC NZ> mentioned: #The general consensus seems to be that there is value in getting users #to change their passwords at, say, yearly intervals but as you increase #the frequency the cost to the user escalates and eventually they will #start writing the passwords down and sticking them to the screen and #even before that happens the cost in terms of frustration is significant #and may well outweigh any real security benefits. In my experience, the problem isn't the *frequency* of the changes that's the problem, rather it is the:
[heaps of good stuff snipped] Yes, Joe is right -- it isn't just the frequency that is the issue -- I had over simplified. It still boils down to the fact that passwords are inadequate protection for anything you really care about. I also agree with most of Joe's other comments on my post -- I was being deliberatively provocative (in keeping with the thread :) and it is good to see all this follow up! On the issue of Best Practice -- my real complaint is that the term is over used and what is best practice in one set circumstances may be sub optimal in others. I am all for having standard practices documented so long as the assumptions of the analysis are spelt out -- most often they are not. So people implement what they are told is best practice but in fact is far from it. Thanks too to Valdis for clarifying the issue over budgets. This is an illustration of the weakness in tracking real costs. The cost of people's time and frustration do not make it into financial reports -- they just haemorrhage invisibly. Russell
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
- Re: Are users right in rejecting security advice? Eric Jernigan (Mar 22)
- Re: Are users right in rejecting security advice? Leon DuPree (Mar 23)
- Re: Are users right in rejecting security advice? SCHALIP, MICHAEL (Mar 23)