Educause Security Discussion mailing list archives
Re: Password policy
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Thu, 2 Nov 2006 09:31:29 -0500
I'll agree with Jim and others that we need two-factor authentication for the assets that we REALLY need to worry about (at least our financials, medical records, human subjects research data and so on). And we need to allow some reasonable number of retries, especially if you, or I or the student in the lab has to type fifteen or twenty characters correctly each time we log in (or for those who sit in front of a screen all day, each time we go 'down the hall' or out to lunch) But seriously, who's going to try to break into Professor Snerdwell's e-mail account with a dictionary attack? And unless we're worried about month-long sustained attacks, frequent password changes are just annoying without buying additional security. Making people change their passwords every ninety days doesn't teach good computer hygiene, it annoys them and confirms their impression that the IT people have nothing better to do. My 2c worth. Good point on the latter statement (as has also been made by Jim and Dan) - it's good practice to match the authentication system strength to the risk/consequences of a failure of that system (see NIST 800-63). Username/password auth is acceptable for a majority of applications that a typical student uses. An employee, on the other hand, who has read/write access to ERP, student records, server administration, etc. should be using a relatively stronger authentication method. As far as implementing strong auth systems, I notice that there's a great deal of maturity in open source smart card and PKI systems, for example OpenSC and OpenCA. Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)