Educause Security Discussion mailing list archives
Re: Please do not change your password
From: "Tonkin, Derek K" <Derek_Tonkin () BAYLOR EDU>
Date: Fri, 16 Apr 2010 08:49:01 -0500
I think a lot of the confusion and difficulty could be reduced by losing the thinking that each password “if I'm responsible, needs to be different”. I think this is one of those areas where the cost vs. risk mitigated is badly out of balance. You’ve clearly established that you basically have two sets of information, sensitive and non-sensitive. To me that would indicate the need for two passwords. It is a fair amount of work if you discover you’ve been compromised but if you had different passwords for all of those accounts you’d more than likely end up writing them down together somewhere and if you do that then more than likely losing one password would typically mean you’d lost all of your passwords and would thus still have to do all of the same work. Furthermore, this would reduce both the burden of high password strength and the need to write passwords down since you would only be keeping track of two passwords at a time. Of course you could come up with a three-level approach or whatever but the advantages of having different passwords for everything are greatly outweighed by the burden having all those different passwords creates. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu 254-710-7061 ---------------Sic 'em Bears--------------- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Geoff Nathan Sent: Friday, April 16, 2010 5:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password This discussion reflects one that the tech support listserv at Wayne is currently having. An additional point I would make is how many distinct passwords most of us must use. I need a strong password for the following accounts: Work machine login (2--I'm both an English professor and an IT guy) Wayne State AccessID (e-mail, Bb, Pipeline, library..) Bank account Credit Card account Smartphone account (to buy apps, restore from backup) Medical insurance account Cable/ISP/Phone (VOIP functions) Gmail Each of these needs to be strong, and, if I'm responsible, needs to be different. It's hard enough remembering which one needs which 'easily memorized cute passphrase', but if I had to rotate them regularly I'd never be able to do it. And this doesn't include all the others that are less sensitive (Amazon, Chronicle of Higher Ed., newspaper (only available online M-W and Sat), Consumer Reports, Zagat Online--all of which are either subscription-based or otherwise financially dependent). We have painted ourselves into a corner and I agree with the Microsoft research article referred to earlier that we shouldn't be beating up on the average users. If we can't cope, how can they? Geoff Geoffrey S. Nathan Faculty Liaison, C&IT and Associate Professor, Linguistics Program +1 (313) 577-1259 (C&IT) +1 (313) 577-8621 (English/Linguistics) ----- "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU> wrote:
From: "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Friday, April 16, 2010 12:00:02 AM GMT -05:00 US/Canada Eastern Subject: SECURITY Digest - 14 Apr 2010 to 15 Apr 2010 (#2010-84)
[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-listserv.jpg]<http://www.lsoft.com> [http://LISTSERV.EDUCAUSE.EDU/archives/images/b-version.jpg]<http://listserv.educause.edu/cgi-bin/wa.exe?LIST=SECURITY>
SECURITY Digest - 14 Apr 2010 to 15 Apr 2010 (#2010-84) Table of contents: * Please do not change your password (15) * Security Architect job description? 1. Please do not change your password * Re: Please do not change your password<cid:14187@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Steve Werby <smwerby () VCU EDU>
* Re: Please do not change your password<cid:14188@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Steve Werby <smwerby () VCU EDU>
* Re: Please do not change your password<cid:14189@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Allison Dolan <adolan () MIT EDU>
* Re: Please do not change your password<cid:14190@LISTSERV.EDUCAUSE.EDU> (04/15)
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
* Re: Please do not change your password<cid:14191@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
* Re: Please do not change your password<cid:14192@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Bob Bayn <bob.bayn () USU EDU>
* Re: Please do not change your password<cid:14193@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
* Re: Please do not change your password<cid:14195@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Don Cochran <dcochran () SCIPPINTERNATIONAL ORG>
* Re: Please do not change your password<cid:14196@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Steve Werby <smwerby () VCU EDU>
* Re: Please do not change your password<cid:14197@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Alex Keller <alkeller () SFSU EDU>
* Re: Please do not change your password<cid:14198@LISTSERV.EDUCAUSE.EDU> (04/15)
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
* Re: Please do not change your password<cid:14199@LISTSERV.EDUCAUSE.EDU> (04/16)
From: Tom Talley <Thomas.Talley () MICROSOFT COM>
* Re: Please do not change your password<cid:14200@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Eric Case <ecase () EMAIL ARIZONA EDU>
* Re: Please do not change your password<cid:14201@LISTSERV.EDUCAUSE.EDU> (04/15)
From: Eric Case <ecase () EMAIL ARIZONA EDU>
* Re: Please do not change your password<cid:14202@LISTSERV.EDUCAUSE.EDU> (04/15)
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
2. Security Architect job description? * Security Architect job description?<cid:14194@LISTSERV.EDUCAUSE.EDU> (04/15)
From: "Fulton, Lora" <lfulton () BU EDU>
Browse the SECURITY online archives.<http://listserv.educause.edu/cgi-bin/wa.exe?LIST=SECURITY> [http://LISTSERV.EDUCAUSE.EDU/archives/images/b-fsecure.gif]<http://www.lsoft.com/products/default.asp?item=secured-by-FS&host=LISTSERV.EDUCAUSE.EDU&wa=http://listserv.educause.edu/cgi-bin/wa.exe>[http://LISTSERV.EDUCAUSE.EDU/archives/images/b-lpowered.gif]<http://www.lsoft.com/products/listserv-powered.asp>
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)