Re: Interesting Research

["Albrecht, Travis" <000000ce07f65231-dmarc-request () LISTSERV EDUCAUSE EDU>]

If the goal is to "gauge whether students are actually adhering to suggested practices in password design", why capture 
username at all?

Travis Albrecht
INFORMATION TECHNOLOGY SECURITY OFFICER
............................................................................................
Information Technology Division
UW-Green Bay, 2420 Nicolet Drive, Green Bay, WI 54311
tel: (920) 465-2974  |  e-mail: albrecht () uwgb edu<mailto:albrecht () uwgb edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
Sent: Tuesday, April 2, 2019 3:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Interesting Research

Fellow security pros,

I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to 
self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The 
premise is to gauge whether students are actually adhering to suggested practices in password design.

My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with 
this kind of research and how you handled it.

While I see the value in the research, my security senses tell me students will be using their standard password they 
use for everything. Thus big risk.

Feel free to contact me directly.

Thank you,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]