Educause Security Discussion mailing list archives
Re: Please do not change your password
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Wed, 14 Apr 2010 09:36:07 -0400
No, he cannot convince the auditors. As was previously stated, the paper really deals with consumer accounts, not institutions. Furthermore, if your organization failed to put in place an accepted, standard control and then you have a PII breach as a result of the absence of the control, I'd imagine your liability would be significantly higher. That's just a guess though. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Sherenco Sent: Wednesday, April 14, 2010 9:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Please do not change your password Hello, I came across an interesting article on password changes. Author Cormac Herley of Microsoft makes a good case albeit just a cost-benefit analysis. I had to go back and think of why these types of policies were created in the first place. I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement and the ability to automatically lock out accounts after X amount of failed log-in attempts. Do you think he can convince the auditors? http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full Regards, Justin ------------------------------------- Justin Sherenco Security Analyst 734-487-8574 Easten Michigan University http://it.emich.edu/security
Current thread:
- Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
(Thread continues...)