Part 2: On Passwords, Password Policies, and Teaching

I noted in yesterday's post that I used the answers to drive a conversation with a student employee, but didn't provide details. I was asked what the assignment was, and thought that it might be of interest.

I provided the initial question, and my response about what drives institutional policy - essentially what I summarized here. The assignment was:

Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:

• A large multinational corporation
• A commercial website like Amazon, or a cloud service like Dropbox or Picasa
• A small company or non-profit

This sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.