Educause Security Discussion mailing list archives
Re: Password Security
From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>
Date: Tue, 23 Oct 2007 14:03:13 -0400
Hi, I'm certainly on board with those taking a harder line on this issue. If is hasn't already happened, I believe recent breaches should make us more sensitive to how the media and affected parties view Information Security's stance on issues like this. In many cases, we are pretty certain that even if they were allowed to write down their password, it doesn't ensure that stronger passwords will be used. I think I would also consider that this particular password has a strong likelihood of being their password in other places, as well. IMHO we take a stand now and don't back down. Kim Kim Logan Information Security Officer CISSP University of Cincinnati (513)556-9070 kim.logan () uc edu -----Original Message----- From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Tuesday, October 23, 2007 12:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Security Hi All: I am currently fighting an internal battle and wanted to do a sanity check to see if I am being too stubborn with my stance. Scenario: I have a department that wants to give their employees information on business sized cards. There is a slot on the card for people to write down their passwords to their payroll and annual benefits account. The idea is for the less computer literate staff to be able to keep these handy (in their wallets or purses let's say) so that they can refer to them as needed. For years we have been teaching people to not write their passwords down and while some people may do this on their own I feel that by telling them to do something that is so "anti-best practice" we are increasing our overall liability if any of these accounts are breached. Btw - I have discussed many alternative approaches with the department - none of which they are interested in hearing. Thoughts? (can be directed to me personally vs. the listserve if you prefer) -Kevin Kevin L. McLaughlin CISM, CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Attachment:
smime.p7s
Description:
Current thread:
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- <Possible follow-ups>
- Re: Password Security Samuel Young (Oct 23)
- Re: Password Security Gary Dobbins (Oct 23)
- Re: Password Security Wyman Miles (Oct 23)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Christopher Webber (Oct 23)
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 24)
- Re: Password Security David Kovarik (Oct 24)
- Re: Password Security Paul Russell (Oct 24)
(Thread continues...)