Letters

[Editor’s note: The following letter was held over from a previous issue; we apologize for the delay in publishing it.]

Security: A Small Storm Over Gale

Doug Gale’s article on campus security [“It’s Not All About Hackers,” September 2005] had two poor recommendations to improve password security on his “Secure Password Checklist.” His suggestion that users be encouraged or required to change their passwords every 90 days or more is a bad practice leading to a plethora of sticky notes on monitors or scrawled-on business cards in desk drawers, for users find themselves unable to remember their current (and soon-to-be-changed) password. Better to have a good, secure password and guard it vigilantly than to force frequent changes. The second weak recommendation was to “make clear to campus users that they must never give their passwords to anyone other than security administrators or backup personnel.” In fact, no one should give their password to anyone, ever, and we certainly don’t want to introduce the possibility that someone could pose as an administrator in order to gain a password. Security administrators or backup personnel should have, with their authority to administer systems securely, the ability to access those systems appropriately. Passwords are not necessary, i.e., got root? I would think they do.

Molly Tamarkin
Assistant Dean of Information Technology
Nicholas School of the Environment and Earth Sciences
Duke University (NC)

From Doug Gale:

Dean Tamarkin raised excellent points. The first, regarding password changes, is about achieving a balance between theoretical best practice and the real world. It is generally accepted best practice that passwords be changed regularly. The SANS (SysAdmin, Audit, Network, Security) Institute (www.sans.org) recommends that system level passwords be changed at least every 90 days and user passwords every 120 days. (www.sans.org/resources/policies/Password_Policy.pdf). But as Dean Tamarkin points out, forcing periodic password changes that result in weak passwords, reusing passwords or, worse yet, writing passwords down can be counterproductive and actually increase vulnerability in the absence of effective password management solutions. It is also important to differentiate between different users and the kinds of data they access. Access to administrative systems should be more stringent than for students accessing their e-mail. The University of Chicago has, for example, a separate policy for computers containing sensitive data. (https://security. uchicago.edu/regulated-computers/policy.shtml). The university also offers an excellent description of how to select secure and memorable passwords, via the same Web link. Dean Tamarkin’s second point that users should never give up their password is also generally true. Exceptions occur, however, as institutions implement centralized password management strategies, strong encryption becomes more widely used, and institutions respond to state and federal legal requirements. Better phrasing of the item on the Password Checklist would be: “Never give anyone your password except as outlined in institutional policies or as required by applicable state and federal laws.”

Featured

  • illustration of a futuristic building labeled "AI & Innovation," featuring circuit board patterns and an AI brain motif, surrounded by geometric trees and a simplified sky

    Cal Poly Pomona Launches AI and Innovation Center

    In an effort to advance AI innovation, foster community engagement, and prepare students for careers in STEM fields and business, California State Polytechnic University, Pomona has teamed up with AI, cloud, and advisory services provider Avanade to launch a new Avanade AI & Innovation Center.

  •  black graduation cap with a glowing blue AI brain circuit symbol on top

    Report: AI Is a Must for Modern Learners

    A new report from VitalSource identifies a growing demand among learners for AI tools, declaring that "AI isn't just a nice-to-have; it's a must."

  • glowing shield hovers above a digital cloud platform with abstract data streams and cloud icons in the background

    Google to Acquire Cloud Security Firm Wiz

    Google has announced it will acquire cloud security startup Wiz. If completed, the acquisition — an all-cash deal valued at $32 billion — would mark the largest in Google's history.

  • digital dashboard featuring a shield icon, graphs, a world map, and network nodes

    IBM Introduces Agentic AI Governance and Security Platform

    IBM has launched a new software stack for enterprise IT teams tasked with managing the complex governance and security challenges posed by autonomous AI systems.