[geeks] Mandatory password changes

John Francini francini at mac.com
Sun Dec 10 08:11:20 CST 2006 

Well, I have to say that, while this one's arguments are a bit over 
the top, there is something to be said for the concept of personal 
responsibility.

In a corporate setting, I can see requiring frequent password 
changes, because nearly everything an employee can access with a 
password is information that belongs to the company, and corporate IT 
needs to be able to protect it as they see fit.  A good analogy here 
would be to consider the password the same as a key to (physical) 
secured areas where corporate assets are kept. The corporation 
reserves the right to control that access as they see fit, as they 
are the corporation's assets, not the employee's.

In a University or public setting, the rules should be entirely 
different.  Here, the only information you can access is either your 
own or that which the school keeps on your behalf. This means that, 
yes, if you share your password with someone else and they then 
violate that trust (by doing nasty stuff like dropping you from 
classes, dropping you from the University, etc.), then that's your 
problem for having given them access in the first place.  The 
physical analogy here would be giving another student the key to your 
dorm room, off-campus apartment, etc., and discovering that the other 
student trashed the place.  This is your problem for having misplaced 
your trust.

So what's going on here is that the school is trying to provide a 
modicum of protection for the student who doesn't bother to protect 
him/herself -- by forcing a password change on the most 'natural' 
interval, the beginning of a new school year.  On the one hand, it 
could be considered nannying.  On the other hand, it could be 
considered simple prudence.

As an example from the physical world, in my high school, they 
changed all the combinations to all the lockers every year.  Thus, 
even if you had the same locker from one year to the next (you 
didn't), you would have to remember a new locker combination. Nor 
could you open your previous locker and rummage through another 
student's stuff.

The funny thing is, as a kid, I would never -- NEVER -- ever even 
think about giving another kid my locker combination.  And if I was 
given someone else's for a specific purpose, I'd make a point of 
forgetting it the moment that purpose was completed.

john



At 21:57 -0500 12/9/06, Aaron Finley wrote:
>There was a letter in our collegiate paper today, this is concerning
>new policy here that one will have to change their password next year
>and then on a regular yearly rotation. Just to add to the context, if
>someone has someone elses password here, they can withdraw them from
>the university and late drop all their courses in about ten clicks.
>
>[qoute]
>Letter to the Editor
>Student reader vents on new password regulation
>
>With the recent requirement for students to change their user ID passwords
>for access to electronic media such as Webmail, [CMS] and [Registrar],
>I just thought I'd take a minute or two to vent my frustrations about
>this new, ridiculous concept.
>
>First of all, why regulate students' password security? It should be
>up to the student to change his or her passwords if he or she chooses
>to do so. If someone wishes to share his or her password with someone
>else, let them. It's obvious that this whole ordeal is only meant to
>show the administration's depth of control over the student
>population. Why else would they waste valuable man hours in the IT
>department and valuable research dollars on advertising. It's no
>wonder our student governing body was overthrown last year, and we
>have no influence on any of the formal decisions made by this
>administration because they know that no matter what, there will be
>43,000 people handing over thousands of dollars in tuition the next
>year.
>[end qoute]
>
>Good grief. What large rock do people like this crawl out from? I sent
>him an e-mail, telling him he should hope that none of his prospective
>employers pre-screen via the internet, as this letter comes up as the
>third result on Google for his name.
>
>-- Aaron Finley
>_______________________________________________
>GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks

-- 
John Francini, francini at mac.com

"The journey is more important than the destination-that's part of 
life. If you only live for getting to the end, you're almost always 
disappointed."     -Donald Knuth

More information about the geeks mailing list