Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: "Jansen, Morgan R." <morgan.jansen () ROSALINDFRANKLIN EDU>
Date: Wed, 17 Mar 2010 18:05:42 -0500
I certainly did not mean to imply that I went around telling the users they were getting a more restrictive password policy. (= I do think the way the information is given is important and it should be tailored to the audience. Researchers might be more likely to keep their passwords or pass phrases safe if you talk to them about cyber espionage, etc. Thank you, Morgan Jansen Information and Educational Technology Services Rosalind Franklin University of Medicine and Science morgan.jansen () rosalindfranklin edu (847) 578-8369 <mailto:morgan.shank () rosalindfranklin edu> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Eric Case Sent: Wed 3/17/2010 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice?
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jansen, Morgan R. Sent: Wednesday, March 17, 2010 12:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? This is such an interesting discussion! I agree that security must be tailored for the institution. Relating the reasoning to the user base and giving them training is key. My husband works with me and hated when we implemented more restrictive password policies. I have found that when people understand why they are more restrictive and are given some tips on how to remember their passwords they are more agreeable.
<rant> I do not mean to offend anyone, but is that mindset the reason that users reject security advice? "The new password policy is more restrictive" vs. "the new password policy is simple; longer is better" (or whatever). When are we going to stop saying password and start saying passphrase? Long and 'simple' bets short and 'complex' everyday. Has everyone seen Pafwert http://xato.net/bl/2007/01/30/pafwert-smarter-passwords? </rant> -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
(Thread continues...)