Letters

[Editor’s note: The following letter was held over from a previous issue; we apologize for the delay in publishing it.]

Security: A Small Storm Over Gale

Doug Gale’s article on campus security [“It’s Not All About Hackers,” September 2005] had two poor recommendations to improve password security on his “Secure Password Checklist.” His suggestion that users be encouraged or required to change their passwords every 90 days or more is a bad practice leading to a plethora of sticky notes on monitors or scrawled-on business cards in desk drawers, for users find themselves unable to remember their current (and soon-to-be-changed) password. Better to have a good, secure password and guard it vigilantly than to force frequent changes. The second weak recommendation was to “make clear to campus users that they must never give their passwords to anyone other than security administrators or backup personnel.” In fact, no one should give their password to anyone, ever, and we certainly don’t want to introduce the possibility that someone could pose as an administrator in order to gain a password. Security administrators or backup personnel should have, with their authority to administer systems securely, the ability to access those systems appropriately. Passwords are not necessary, i.e., got root? I would think they do.

Molly Tamarkin
Assistant Dean of Information Technology
Nicholas School of the Environment and Earth Sciences
Duke University (NC)

From Doug Gale:

Dean Tamarkin raised excellent points. The first, regarding password changes, is about achieving a balance between theoretical best practice and the real world. It is generally accepted best practice that passwords be changed regularly. The SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org) recommends that system level passwords be changed at least every 90 days and user passwords every 120 days. (www.sans.org/resources/policies/Password_Policy.pdf). But as Dean Tamarkin points out, forcing periodic password changes that result in weak passwords, reusing passwords or, worse yet, writing passwords down can be counterproductive and actually increase vulnerability in the absence of effective password management solutions. It is also important to differentiate between different users and the kinds of data they access. Access to administrative systems should be more stringent than for students accessing their e-mail. The University of Chicago has, for example, a separate policy for computers containing sensitive data. (https://security. uchicago.edu/regulated-computers/policy.shtml). The university also offers an excellent description of how to select secure and memorable passwords, via the same Web link. Dean Tamarkin’s second point that users should never give up their password is also generally true. Exceptions occur, however, as institutions implement centralized password management strategies, strong encryption becomes more widely used, and institutions respond to state and federal legal requirements. Better phrasing of the item on the Password Checklist would be: “Never give anyone your password except as outlined in institutional policies or as required by applicable state and federal laws.”

Featured

  • data professionals in a meeting

    Data Fluency as a Strategic Imperative

    As an institution's highest level of data capabilities, data fluency taps into the agency of technical experts who work together with top-level institutional leadership on issues of strategic importance.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • laptop with AI symbol on screen

    Google Launches Lightweight Gemma 3n, Expanding Edge AI Efforts

    Google DeepMind has officially launched Gemma 3n, the latest version of its lightweight generative AI model designed specifically for mobile and edge devices — a move that reinforces the company's emphasis on on-device computing.

  • semi-transparent AI brain with circuit elements under a microscope

    Anthropic Develops AI 'Microscope' to Reveal the Hidden Mechanics of LLM Thought

    Anthropic has unveiled new research tools designed to provide a rare glimpse into the hidden reasoning processes of advanced language models — like a "microscope" for AI.