Letters

[Editor’s note: The following letter was held over from a previous issue; we apologize for the delay in publishing it.]

Security: A Small Storm Over Gale

Doug Gale’s article on campus security [“It’s Not All About Hackers,” September 2005] had two poor recommendations to improve password security on his “Secure Password Checklist.” His suggestion that users be encouraged or required to change their passwords every 90 days or more is a bad practice leading to a plethora of sticky notes on monitors or scrawled-on business cards in desk drawers, for users find themselves unable to remember their current (and soon-to-be-changed) password. Better to have a good, secure password and guard it vigilantly than to force frequent changes. The second weak recommendation was to “make clear to campus users that they must never give their passwords to anyone other than security administrators or backup personnel.” In fact, no one should give their password to anyone, ever, and we certainly don’t want to introduce the possibility that someone could pose as an administrator in order to gain a password. Security administrators or backup personnel should have, with their authority to administer systems securely, the ability to access those systems appropriately. Passwords are not necessary, i.e., got root? I would think they do.

Molly Tamarkin
Assistant Dean of Information Technology
Nicholas School of the Environment and Earth Sciences
Duke University (NC)

From Doug Gale:

Dean Tamarkin raised excellent points. The first, regarding password changes, is about achieving a balance between theoretical best practice and the real world. It is generally accepted best practice that passwords be changed regularly. The SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org) recommends that system level passwords be changed at least every 90 days and user passwords every 120 days. (www.sans.org/resources/policies/Password_Policy.pdf). But as Dean Tamarkin points out, forcing periodic password changes that result in weak passwords, reusing passwords or, worse yet, writing passwords down can be counterproductive and actually increase vulnerability in the absence of effective password management solutions. It is also important to differentiate between different users and the kinds of data they access. Access to administrative systems should be more stringent than for students accessing their e-mail. The University of Chicago has, for example, a separate policy for computers containing sensitive data. (https://security. uchicago.edu/regulated-computers/policy.shtml). The university also offers an excellent description of how to select secure and memorable passwords, via the same Web link. Dean Tamarkin’s second point that users should never give up their password is also generally true. Exceptions occur, however, as institutions implement centralized password management strategies, strong encryption becomes more widely used, and institutions respond to state and federal legal requirements. Better phrasing of the item on the Password Checklist would be: “Never give anyone your password except as outlined in institutional policies or as required by applicable state and federal laws.”

comments powered by Disqus