Educause Security Discussion mailing list archives
Re: Password aging
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 14 Jan 2004 18:47:38 -0500
I totally agree that passwords per se are lousy security. I'm just trying to understand the real risks and potential mitigations.
I believe the use of biometrics is poorly understood by most people but that is a topic for another thread.
I agree about Biometric Devices, particularly with those Biometric devices that still have a "Fail Safe" password system embedded in them. This is a very interesting thread on passwords to be sure. I can however tell you that I've seen faculty members write their passwords down in "Permanent Marker" on their monitor borders, students leave a piece of paper in our public computer labs with all their various usernames and passwords on it... not only to our network, but other services, including their banking information. I have seen departmental admins give a locked out user their own username and password so they didn't have to deal with it when they were at home eating dinner. These are just a couple examples to be sure. The way I see things, password complexity is required to avoid simple Brute Force attacks. Change cycles are required to ensure that compromised passwords are not good forever. Length requirements are needed to at least SLOW down brute force decryption attempts, if not make it take years to crack. However, as with all things, there is a "median" or balance between these three issues, and certainly the users work habit and needs should be a part of that equation; but NOT the determing factor. I've also read here where some say that banks do not require a user to change their ATM / Check Card's PIN number. While I believe they should and eventually will require this, we need to remember that we've just changed the argument dynamics here from a password only authentication system into what amounts to a "Two Factor" authentication system; whereby a person would not only need the password/pin, but also the additional "Token / Smart Card" to make the system work to begin with. Rather like comparing apples with oranges IMO. I believe therefore that the future of security will be in multi-factor authentication. Until then, we need to do our best to protect our users and their data with the tools we currently have, educate our users why this is so important to safe guard not only them - but the instituition's data, and then help them with tips and suggestions to create/change passwords on a regular cycle that are both complex but EASY to remember. We have actually had very good luck with this approach. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)