Educause Security Discussion mailing list archives

Re: Password Management Policy & Standards

From: David Sheryn <dsheryn () LONDON EDU>
Date: Fri, 26 Feb 2016 12:38:38 +0000


There is an interesting, if somewhat dated paper, by Ross Anderson, Professor of Security Engineering at Cambridge 
University (http://www.cl.cam.ac.uk/~rja14/  https://www.lightbluetouchpaper.org/ ), reporting on the results of some 
empirical research to try and establish how much password 'folklore' was actually true 
(http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf).  I believe that as a result, he successfully challenged the 
University's auditors insistence on frequent password changes.  IIRC, when asked what the basis they had for insisting 
on this, the only response that the auditors could come up with was "Head Office says so"...

Regards

-- 
David Sheryn | Information Security Specialist -- Networks, Telecoms & Security | Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7776

www.london.edu | London experience. World impact.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark I. 
Berman
Sent: 26 February 2016 12:02
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management Policy & Standards

Joanna,

So what you're saying is that the reason to expire passwords is to make the accountants happy rather than any rational 
balancing of risk/reward? I think I probably agree with you. We just had a discussion here about whether we need to 
worry about password expiration and complexity so much if we move to two factor authentication. One thing that was 
brought up is that we might not even know if a password is compromised since the bad-guy still wouldn't be able to get 
in, lacking the second factor. And do we care at that point that the password was compromised.  Two factor auth 
certainly seems to throw a monkey wrench into the question of how important complex and frequently changed passwords 
really are!

 - Mark
--
Mark Berman, Chief Information Officer
Siena College
515 Loudon Road
Loudonville, NY  12211
(518)782-6957,  Fax: (518)783-2590

Current thread:

Password Management Policy & Standards Carlos Lobato (Feb 24)
- Re: Password Management Policy & Standards Bradner, Scott (Feb 24)
  - Re: Password Management Policy & Standards Von Welch (Feb 25)
    - Re: Password Management Policy & Standards Joanna Grama (Feb 25)
- <Possible follow-ups>
- Re: Password Management Policy & Standards Mark I. Berman (Feb 26)
  - Re: Password Management Policy & Standards Bradner, Scott (Feb 26)
    - Re: Password Management Policy & Standards Brad Judy (Feb 26)
  - Re: Password Management Policy & Standards David Sheryn (Feb 26)
    - Re: Password Management Policy & Standards Mark Borrie (Feb 28)
  - Re: Password Management Policy & Standards Joanna Grama (Feb 26)
    - Re: Password Management Policy & Standards Brad Judy (Feb 26)
    - Re: Password Management Policy & Standards McClenon, Brady (Feb 26)
    - Re: Password Management Policy & Standards David Sheryn (Feb 26)
- Password Management Policy & Standards Carlos Lobato (Feb 26)
  - Re: Password Management Policy & Standards Kevin Reedy (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)
    - Re: Password Management Policy & Standards Dan Sarazen (Feb 26)
    - Re: Password Management Policy & Standards Frank Barton (Feb 26)

(Thread continues...)