Educause Security Discussion mailing list archives
Re: Interesting Research
From: John Chapman <John.Chapman () JISC AC UK>
Date: Wed, 3 Apr 2019 08:30:34 +0000
Not a direct response to your question, but the following may be of interest. UCL in the UK took an interesting approach to encouraging the use of strong passwords. They forced weaker passwords to be changed more often (something students didn't like at all) and stronger passwords wouldn't expire for a much longer period. They set passwords to be valid for between 100 and 350 days depending on its strength when it was set. There is a slide set from Bridget Kenyon (formerly of UCL) on SlideShare at https://www.slideshare.net/JISC/password-lifespans-at-ucl-a-training-opportu nity explaining their approach. John - Dr John Chapman CISSP CISM Head of security operations centre M 07468 727058 Twitter http://twitter.com/chapman_john Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: 02 April 2019 21:01 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A
researcher
wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and
collected. The
premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So,
I
decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students
will
be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu <mailto:raking () nsu edu> www.nsu.edu <http://www.nsu.edu/> @NSUCISO (Twitter)
Attachment:
smime.p7s
Description:
Current thread:
- Re: Interesting Research, (continued)
- Re: Interesting Research Laverty, Patrick (Apr 02)
- Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
- Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
- Re: Interesting Research Mark Poepping (Apr 09)
- Re: Interesting Research Brad Judy (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
- Re: Interesting Research Gael Frouin (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)