Educause Security Discussion mailing list archives

Re: Please do not change your password

From: "Tonkin, Derek K" <Derek_Tonkin () BAYLOR EDU>
Date: Fri, 16 Apr 2010 08:49:01 -0500

I think a lot of the confusion and difficulty could be reduced by losing the thinking that each password “if I'm 
responsible, needs to be different”.  I think this is one of those areas where the cost vs. risk mitigated is badly out 
of balance.  You’ve clearly established that you basically have two sets of information, sensitive and non-sensitive.  
To me that would indicate the need for two passwords.

It is a fair amount of work if you discover you’ve been compromised but if you had different passwords for all of those 
accounts you’d more than likely end up writing them down together somewhere and if you do that then more than likely 
losing one password would typically mean you’d lost all of your passwords and would thus still have to do all of the 
same work.

Furthermore, this would reduce both the burden of high password strength and the need to write passwords down since you 
would only be keeping track of two passwords at a time.  Of course you could come up with a three-level approach or 
whatever but the advantages of having different passwords for everything are greatly outweighed by the burden having 
all those different passwords creates.

-------------Baylor University-------------
Derek Tonkin
Information Security Analyst
Information Technology Services - Security
derek_tonkin () baylor edu        254-710-7061
---------------Sic 'em Bears---------------

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff 
Nathan
Sent: Friday, April 16, 2010 5:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

This discussion reflects one that the tech support listserv at Wayne is currently having. An additional point I would 
make is how many distinct passwords most of us must use. I need a strong password for the following accounts:
Work machine login (2--I'm both an English professor and an IT guy)
Wayne State AccessID (e-mail, Bb, Pipeline, library..)
Bank account
Credit Card account
Smartphone account (to buy apps, restore from backup)
Medical insurance account
Cable/ISP/Phone (VOIP functions)
Gmail
Each of these needs to be strong, and, if I'm responsible, needs to be different. It's hard enough remembering which 
one needs which 'easily memorized cute passphrase', but if I had to rotate them regularly I'd never be able to do it. 
And this doesn't include all the others that are less sensitive (Amazon, Chronicle of Higher Ed., newspaper (only 
available online M-W and Sat), Consumer Reports, Zagat Online--all of which are either subscription-based or otherwise 
financially dependent).
We have painted ourselves into a corner and I agree with the Microsoft research article referred to earlier that we 
shouldn't be beating up on the average users. If we can't cope, how can they?

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Associate Professor, Linguistics Program
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

----- "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU> wrote:

From: "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Friday, April 16, 2010 12:00:02 AM GMT -05:00 US/Canada Eastern
Subject: SECURITY Digest - 14 Apr 2010 to 15 Apr 2010 (#2010-84)

[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-listserv.jpg]<http://www.lsoft.com>

[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-version.jpg]<http://listserv.educause.edu/cgi-bin/wa.exe?LIST=SECURITY>

SECURITY Digest - 14 Apr 2010 to 15 Apr 2010 (#2010-84)
Table of contents:

 *   Please do not change your password (15)
 *   Security Architect job description?

 1.  Please do not change your password
    *   Re: Please do not change your password<cid:14187@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Steve Werby <smwerby () VCU EDU>

    *   Re: Please do not change your password<cid:14188@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Steve Werby <smwerby () VCU EDU>

    *   Re: Please do not change your password<cid:14189@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Allison Dolan <adolan () MIT EDU>

    *   Re: Please do not change your password<cid:14190@LISTSERV.EDUCAUSE.EDU> (04/15)

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>

    *   Re: Please do not change your password<cid:14191@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>

    *   Re: Please do not change your password<cid:14192@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Bob Bayn <bob.bayn () USU EDU>

    *   Re: Please do not change your password<cid:14193@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>

    *   Re: Please do not change your password<cid:14195@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Don Cochran <dcochran () SCIPPINTERNATIONAL ORG>

    *   Re: Please do not change your password<cid:14196@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Steve Werby <smwerby () VCU EDU>

    *   Re: Please do not change your password<cid:14197@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Alex Keller <alkeller () SFSU EDU>

    *   Re: Please do not change your password<cid:14198@LISTSERV.EDUCAUSE.EDU> (04/15)

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>

    *   Re: Please do not change your password<cid:14199@LISTSERV.EDUCAUSE.EDU> (04/16)

From: Tom Talley <Thomas.Talley () MICROSOFT COM>

    *   Re: Please do not change your password<cid:14200@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Eric Case <ecase () EMAIL ARIZONA EDU>

    *   Re: Please do not change your password<cid:14201@LISTSERV.EDUCAUSE.EDU> (04/15)

From: Eric Case <ecase () EMAIL ARIZONA EDU>

    *   Re: Please do not change your password<cid:14202@LISTSERV.EDUCAUSE.EDU> (04/15)

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>

 2.  Security Architect job description?
    *   Security Architect job description?<cid:14194@LISTSERV.EDUCAUSE.EDU> (04/15)

From: "Fulton, Lora" <lfulton () BU EDU>


Browse the SECURITY online archives.<http://listserv.educause.edu/cgi-bin/wa.exe?LIST=SECURITY>


[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-fsecure.gif]<http://www.lsoft.com/products/default.asp?item=secured-by-FS&host=LISTSERV.EDUCAUSE.EDU&wa=http://listserv.educause.edu/cgi-bin/wa.exe>[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-lpowered.gif]<http://www.lsoft.com/products/listserv-powered.asp>

Current thread:

Re: Please do not change your password, (continued)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)