Educause Security Discussion mailing list archives
Re: Password policy
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 2 Nov 2006 09:54:26 -0500
Mike Wiseman wrote:
Good point on the latter statement (as has also been made by Jim and Dan) - it's good practice to match the authentication system strength to the risk/consequences of a failure of that system (see NIST 800-63). Username/password auth is acceptable for a majority of applications that a typical student uses. An employee, on the other hand, who has read/write access to ERP, student records, server administration, etc. should be using a relatively stronger authentication method.
For those of you who provide a "universal account and password" that allows people to access multiple systems: 1) Do you allow the universal account to be used both with sensitive and non-sensitive applications? 2) Do you enforce separate password policies on the universal accounts whose holders can access sensitive systems? If so, through what mechanism? thanks, -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)