Letters
[Editor’s note: The following letter was held over from a previous issue;
we apologize for the delay in publishing it.]
Security: A Small Storm Over Gale
Doug Gale’s article on campus security [“It’s Not All About Hackers,” September
2005] had two poor recommendations to improve password security on his “Secure
Password Checklist.” His suggestion that users be encouraged or required to
change their passwords every 90 days or more is a bad practice leading to a
plethora of sticky notes on monitors or scrawled-on business cards in desk drawers,
for users find themselves unable to remember their current (and soon-to-be-changed)
password. Better to have a good, secure password and guard it vigilantly than
to force frequent changes. The second weak recommendation was to “make clear
to campus users that they must never give their passwords to anyone other than
security administrators or backup personnel.” In fact, no one should give their
password to anyone, ever, and we certainly don’t want to introduce the possibility
that someone could pose as an administrator in order to gain a password. Security
administrators or backup personnel should have, with their authority to administer
systems securely, the ability to access those systems appropriately. Passwords
are not necessary, i.e., got root? I would think they do.
Molly Tamarkin
Assistant Dean of Information Technology
Nicholas School of the Environment and Earth Sciences
Duke University (NC)
From Doug Gale:
Dean Tamarkin raised excellent points. The first, regarding password changes,
is about achieving a balance between theoretical best practice and the real
world. It is generally accepted best practice that passwords be changed regularly.
The SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org)
recommends that system level passwords be changed at least every 90 days and
user passwords every 120 days. (www.sans.org/resources/policies/Password_Policy.pdf).
But as Dean Tamarkin points out, forcing periodic password changes that result
in weak passwords, reusing passwords or, worse yet, writing passwords down can
be counterproductive and actually increase vulnerability in the absence of effective
password management solutions. It is also important to differentiate between
different users and the kinds of data they access. Access to administrative
systems should be more stringent than for students accessing their e-mail. The
University of Chicago has, for example, a separate policy for
computers containing sensitive data. (https://security.
uchicago.edu/regulated-computers/policy.shtml). The university also offers
an excellent description of how to select secure and memorable passwords, via
the same Web link. Dean Tamarkin’s second point that users should never give
up their password is also generally true. Exceptions occur, however, as institutions
implement centralized password management strategies, strong encryption becomes
more widely used, and institutions respond to state and federal legal requirements.
Better phrasing of the item on the Password Checklist would be: “Never give
anyone your password except as outlined in institutional policies or as required
by applicable state and federal laws.”