Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Von Welch <von () VONWELCH COM>]

Michael,

> They connect their laptop to wireless which embeds the password in the device.  
> They connect their phone to wireless which embeds the password in the device 
…

 As an aside, what I think you’re getting at here is the problem we’re mainly no longer authenticating users, we’re 
authenticating devices authorized by users.

 The first time I heard this articulated well was by Eric Grosse of Google [http://cps-vo.org/node/6440].

Von

On Apr 3, 2014, at 11:09 AM, Mike Cunningham <mike.cunningham () PCT EDU> wrote:

> To expand on the "annoyance" comment..
>
> We all will accept a new student, create them an account, set an initial password, have them change it on first use 
> to one of their choosing, All is well and good in the world.
> Then they come on campus...
> They connect their laptop to wireless which embeds the password in the device.  
> They connect their phone to wireless which embeds the password in the device 
> They setup activesync on their phone which embeds the password in the app  
> They connect their tablet to wireless which embeds the password in the device  
> They setup activesync on their tablet which embeds the password in the app  
> They connect their IPTV to wireless which embeds the password in the device  
> They connect their game console to wireless which (might) embed the password in the device
>
> Two months later we make them change their password and the chaos begins. They don't remember all the places they 
> used their password and those devices then try top connect, over and over again, and eventually disable the account. 
> Student tries to logon using the new password and can't. The student calls the helpdesk to report then can't logon 
> and the first thing the helpdesk does is reset the password. And the cycle continues. If the student does think about 
> then need to change the wireless device password they almost always forget that activesync needs changed too. One 
> recent incident we had it took almost three weeks to get a student back to normal because they had used a parents 
> phone to setup their email account and forget they did that. 
>
> And in another couple of months that will all happen again    
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger 
> A Safian
> Sent: Thursday, April 03, 2014 8:50 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs
>
> > Ultimately, I'm not finding the benefit strong enough to move me from 
> > my core belief that it's not worth the usability trade-off and we 
> > should instead be focusing energy getting users to use password 
> > managers. But I admit that's subjective.
>
> I'm not sure that password managers will take off.  The whole password system is little more than an annoyance to 
> most users, and until that changes, we're just expending a lot of energy, mostly needlessly.   That being said, I'm 
> pinning my hopes on multi-factor authentication.  Maybe one of us will get lucky.