Educause Security Discussion mailing list archives

Re: Please do not change your password

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 14 Apr 2010 08:26:47 -0500

Unlikely that it'll change the audit book.

Nor should it, necessarily.  The study is really predicated on consumer accounts, and doesn't address duty of care 
issues for data custodians, among other things.  I've rarely seen that mentioned over the last five months' discussion, 
since the paper was published.

One particularly acute point on this topic is the paper's assertion that financial fraud loses the use nothing.  While 
true for some financial accounts situations for personal accounts, that is demonstrably not true for US commercial 
online bank accounts (see Krebsonsecurity.com for many examples), and as I recall isn't true for all personal banking 
accounts in other countries.

All that said, it's a goodish paper, and we've all known that passwords are horrid for well over a decade, but 
substantial progress on password replacement is pretty poor, overall.

    -jml


-----Original Message-----
From: Justin Sherenco
Sent: 2010-04-14 08:04:59
To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: [SECURITY] Please do not change your password


Hello,

I came across an interesting article on password changes.  Author Cormac
Herley of Microsoft makes a good case albeit just a cost-benefit analysis.
I had to go back and think of why these types of policies were created in
the first place.  I came to my own conclusion that they were created
before the days of complex password (passphrase) enforcement and the
ability to automatically lock out accounts after X amount of failed log-in
attempts. 

 

Do you think he can convince the auditors?  

 

 

 
<http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not
_change_your_password/?page=full>
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_
change_your_password/?page=full

 

Regards,

Justin

 

 

-------------------------------------

Justin Sherenco

Security Analyst

734-487-8574

Easten Michigan University

http://it.emich.edu/security

Current thread:

Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)

(Thread continues...)