Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Management

From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Wed, 27 Feb 2019 16:12:20 +0000
I use this in awareness workshops all the time...any password is only as good as you make it.
https://xkcd.com/936/


Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Maud, Phil
Sent: Wednesday, February 27, 2019 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management

Hi

Yes that was one I'd looked at

But found this contrary article at the same time

https://sourceforge.net/p/keepass/discussion/329220/thread/f791c815/

so I was not as concerned as I might have been

However it is nowhere near a centralised-control-corporate-solution, just a free one

Regards

Phil Maud
Information Security Analyst
Information Services, Building 63 (IT) G7
E: P.H.Maud () cranfield ac uk<mailto:P.H.Maud () cranfield ac uk>
T: +44 (0) 1234 75 4879


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Kevin Crider
Sent: 27 February 2019 15:51
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Management

The big diff for us is the portability of Keepass PLUS it's vulnerabilities.

Being portable is a nice feature, but it also means someone can take the database file and you'd never know...and do 
all kinds of things with it...

https://www.rubydevices.com.au/blog/how-to-hack-keepass

12 minutes to crack the master password.

At least with a cloud service I can control it...turn it off...and monitor access.

I love Keepass and agree it's way better than nothing...but IMO not much better than a spreadsheet...



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Maud, Phil
Sent: Wednesday, February 27, 2019 10:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Management

I've used keepass and have recommended it in the past

It's a good price (free) and is pretty usable and most importantly isolated from the browser (which seems to be the 
source of numbers of password manager hacking attempts)

I looked for encryption cracking against keepass and AFAIK it stands up pretty well - where I find vulnerabilities they 
seem to extend to other password managers as well (recent in memory password recovery being an example)

The main argument I had about not using it commercially is that there is no master key which means that if a user loses 
their master password they have lost all their passwords in one go and no one in IT can undo that for them

It's a basic password manager but better than no password manager...

Regards

Phil Maud
Information Security Analyst
Information Services, Building 63 (IT) G7
E: P.H.Maud () cranfield ac uk<mailto:P.H.Maud () cranfield ac uk>
T: +44 (0) 1234 75 4879





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of William D Sanders
Sent: Monday, February 25, 2019 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Management

Is anyone using KeePass? I've used it before in a non-education environment, and it worked well for us. I'd love to 
hear about anyone's experience with it.
Thanks,
Dan



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Greg Williams
Sent: Monday, February 25, 2019 10:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password Management

Looks like this topic hasn't been discussed in a while (~2 years).  We *have* had around 100 users in LastPass 
Enterprise for our IT department for the past 4 years.  This is the 4th year in a row that the price has increased 100% 
year over year.  It was $8/year/user 4 years ago.  So over 4 years $8*2*2*2 = ~62/year/user today.  What is everyone 
else using these days?  Are you using DUO with it as well?  Thanks!

Greg Williams, ME
Director of Operations
Office of Information Technology
Lecturer
Department of Computer Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
Phone: (719) 255-3292
Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams>
www.uccs.edu<http://www.uccs.edu/>


This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.
Previous By Date Next
Previous By Thread Next

Current thread: