Educause Security Discussion mailing list archives

Re: Password Policies for today's knowledge worker

From: Matthew Trump <M.Trump () KENT AC UK>
Date: Wed, 10 Feb 2016 12:30:40 +0000

I'd beg to differ.

The problem with the Enigma is that the Germans placed 100% confidence in their technology (sound familiar?) and were 
beaten by the human factor (sound even more familiar?).

If you can't detect when an account has been compromised, I'd respectfully suggest that you have bigger issues to worry 
about.

Matthew

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. 
Emmons
Sent: 10 February 2016 11:59
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

David,

I like the response.  I'm going to use it the next time I am with the person who asked me the question - I'll let you 
know how it goes :)

Thanks,
Larry

Larry K. Emmons
Director of Technology and Support Services
www.svsu.edu<http://www.svsu.edu/>
www.svsu.edu/its<http://www.svsu.edu/its>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Julie 
Journitz
Sent: Tuesday, February 9, 2016 9:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

David,

That's a great response.


Julianne Journitz
Director of Client Services
Information Technology Services
Pomona College
156 East 7th Street
Claremont, California 91711
http://research.pomona.edu/itsecurity/<https://post.pomona.edu/owa/redir.aspx?SURL=2iiY4r9EU20oeg46QHpU1fWtrmPoGq0Zw_3MZr7_j5A8ZS9zPebSCGgAdAB0AHAAOgAvAC8AcgBlAHMAZQBhAHIAYwBoAC4AcABvAG0AbwBuAGEALgBlAGQAdQAvAGkAdABzAGUAYwB1AHIAaQB0AHkALwA.&URL=http%3a%2f%2fresearch.pomona.edu%2fitsecurity%2f>
@pomonahelp

On Feb 9, 2016, at 6:00 PM, David Lundy <dlundy () PACIFIC EDU<mailto:dlundy () pacific edu>> wrote:
Larry:
      Because of uncertainty.  One does not necessarily know of a compromise.  Consider that the Germans lost U-Boats 
in WWII because they were unaware that Enigma had been compromised.

David Lundy
-----------------------------------
David Lundy
Assistant IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy () pacific edu<mailto:dlundy () pacific edu>
Voice: 209-946-3951
Fax: 209-946-2898



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Larry K. 
Emmons
Sent: Tuesday, February 09, 2016 5:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu>
Subject: Re: [SECURITY] Password Policies for today's knowledge worker

Neal,

In a similar discussion I was challenged with a question. "Why do I need to change my password?"  I went through the 
typical responses about security and was then asked the same question again.  I pondered my dilemma and was then 
enlightened with a response.  I should only have to change my password if it has been compromised.  If it hasn't been 
compromised, why change it?

Chicken or egg?
Thanks,
Larry

Director of Technology and Support Services
Saginaw Valley State University
www.svsu.edu<http://www.svsu.edu>



On Tue, Feb 9, 2016 at 4:28 PM -0800, "Fisch, Neal" <Neal.Fisch () CSUCI EDU<mailto:Neal.Fisch () CSUCI EDU>> wrote:

Good afternoon everyone,

In today's world of knowledge workers having a multitude of devices used for accessing their work data, I would like 
know how strict you feel password policies should be to be able to accommodate this plethora of devices, accommodate a 
seamless password change process, and still be secure.  Items of particular interest are password/access controls 
specifically in regards to acceptable timeframes for password resets and number of failed login attempts.

Thanks all!

Neal

Neal Fisch
Director, Enterprise Services and Security
Information Security Officer
Division of Technology & Communication
California State University Channel Islands
One University Drive, Camarillo CA 93012
Solano Hall - Room 2178

Email:  neal.fisch () csuci edu<mailto:neal.fisch () csuci edu>
Voice:  805-437-3278 | Mobile:  805-443-6529 | Fax:  805-437-3377
<image001.jpg>

Current thread:

Password Policies for today's knowledge worker Fisch, Neal (Feb 09)
- Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 09)
  - Re: Password Policies for today's knowledge worker David Lundy (Feb 09)
    - Re: Password Policies for today's knowledge worker Julie Journitz (Feb 09)
    - Re: Password Policies for today's knowledge worker Larry K. Emmons (Feb 10)
    - Re: Password Policies for today's knowledge worker Matthew Trump (Feb 10)
    - Re: Password Policies for today's knowledge worker Shalla, Kevin (Feb 10)
    - Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
    - Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 10)
    - Re: Password Policies for today's knowledge worker Thomas Carter (Feb 10)
  - Re: Password Policies for today's knowledge worker Mike Iglesias (Feb 09)
- Re: Password Policies for today's knowledge worker Mike Chapple (Feb 09)
  - Re: Password Policies for today's knowledge worker Jones, Mark B (Feb 09)
- Re: Password Policies for today's knowledge worker Von Welch (Feb 10)
- <Possible follow-ups>
- Re: Password Policies for today's knowledge worker Brad Judy (Feb 10)