Poxy Password Policies ...
There is a debate rambling along on our corporate social media platform (Yammer) – someone spotted some excellent advice from GCHQ advising against having corporate password policies that force the users to change their password at too frequent intervals.
Once the user has realised what this entails they will create the following password structure …
The problem is that if an older password is compromised – for example via a key logger that managed to get by all anti-malware security (which they can do). The password methodology is revealed – you may have changed your password to 99+1. Yet the attacker still knows your password, in spite of corporate policy.
The same applies for the encryption of USB – not that we are conflating two different technologies. Forcing full encryption and password protection of USB drives means that:
Once the user has realised what this entails they will create the following password structure …
MagicWord9999 represents any number between 00 and 99 and I am sure that if they have worked at organisation X for long enough they could make the leap to three digits.
The problem is that if an older password is compromised – for example via a key logger that managed to get by all anti-malware security (which they can do). The password methodology is revealed – you may have changed your password to 99+1. Yet the attacker still knows your password, in spite of corporate policy.
The same applies for the encryption of USB – not that we are conflating two different technologies. Forcing full encryption and password protection of USB drives means that:
- I will avoid using them – viva la cloud.
- Those who do may now create a shared password – facepalm
- Others may now stick the password on the wall, screen, department cat or USB stick – facepalm++
Even when capable individuals share what is happening on our social media platform. Our IT souls seem to be in dismal denial – it is policy they explain. Yep – an utterly useless policy that has been debunked by experts. They try to claim that external compliance forces this - for an entire university, hmmm, maybe for a section. Has nobody tried network segmentation - or additional layers of security for risk systems?
Passwords need to change – the frequency lowered and the need to write a rule that stops incremental digits. (off hand I cannot recall if Microsoft offers this – to be fair, I can see where any network admins hands are tied).
We do not know if there has ever been a data breach at the OU via USB – chances are if data is escaping, we are probably pissing it out via the cloud. We collaborate with an innumerable number of external parties – this is what academia does. Rather than comply with policy – we are working around a set of rules better suited to a grey suited corporate monolith.
Alas – lateral thinking and maybe asking those who work intellectually in this field may be a start. Sadly this is not the only case for my University, one encounters this in many other academic spheres.
Passwords need to change – the frequency lowered and the need to write a rule that stops incremental digits. (off hand I cannot recall if Microsoft offers this – to be fair, I can see where any network admins hands are tied).
We do not know if there has ever been a data breach at the OU via USB – chances are if data is escaping, we are probably pissing it out via the cloud. We collaborate with an innumerable number of external parties – this is what academia does. Rather than comply with policy – we are working around a set of rules better suited to a grey suited corporate monolith.
Alas – lateral thinking and maybe asking those who work intellectually in this field may be a start. Sadly this is not the only case for my University, one encounters this in many other academic spheres.
Comments
Post a Comment