Re: Password Security

["Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>]

Hi,

I'm certainly on board with those taking a harder line on this issue.  If is
hasn't already happened, I believe recent breaches should make us more
sensitive to how the media and affected parties view Information Security's
stance on issues like this.  In many cases, we are pretty certain that even
if they were allowed to write down their password, it doesn't ensure that
stronger passwords will be used.  I think I would also consider that this
particular password has a strong likelihood of being their password in other
places, as well.  IMHO we take a stand now and don't back down.

Kim

Kim Logan
Information Security Officer
CISSP
University of Cincinnati
(513)556-9070
kim.logan () uc edu

-----Original Message-----
From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Tuesday, October 23, 2007 12:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Security

Hi All:

I am currently fighting an internal battle and wanted to do a sanity check
to see if I am being too stubborn with my stance.

Scenario:

I have a department that wants to give their employees information on
business sized cards.  There is a slot on the card for people to write down
their passwords to their payroll and annual benefits account.  The idea is
for the less computer literate staff to be able to keep these handy (in
their wallets or purses let's say) so that they can refer to them as needed.


For years we have been teaching people to not write their passwords down and
while some people may do this on their own I feel that by telling them to do
something that is so "anti-best practice" we are increasing our overall
liability if any of these accounts are breached.  Btw - I have discussed
many alternative approaches with the department - none of which they are
interested in hearing.

Thoughts?  (can be directed to me personally vs. the listserve if you
prefer)

-Kevin


Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)





CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.

Attachment: smime.p7s
Description: