Teknoids

'Noids,

A while back a university system audit told us we needed a better password
policy - longer passwords, more complexity, more frequent expiration. So we
complied and now our users hate us (not really, but they're not happy with
the password policy). Add on top of that the new computer security truism
that "passwords are dead" and I'm left asking what would be better. And by
better I mean the users will find it less onerous than a strong password
policy and it will be at least as secure if not more so than a strong
password policy: happy users & happy security auditors.

So here's my question: are other law schools doing anything that is a step
beyond and old fashioned password? Smartcards? RSA SecureID? Who is it
deployed to? Administrative users? All faculty and staff? Students? Cost?
User reaction? Your opinion?

I know the argument - there's nothing here worth that sort of security - and
its mostly accurate. On the other had if something is worth securing at all
it is worth securing well, and with modern botnets and trojans it just takes
one mistake by one user to let in something that will chew on a
workstation's cached profile password hashes or just a plain old key logger
and then spread from there. I've seen both here at one time or another.
Honestly passwords really are inadequate today.

Thanks,
Michael
--
________________
J Michael Sparks
Computing Services Director
LSU Paul M Hebert Law Center
Baton Rouge, LA 70803-1000
225-578-8717 fax 225-578-4682
Michael.Sparks@law.lsu.edu