College/University Sales

stevenc317

Have you guys thought about working with College/Universities to give them site licenses for their staff & students to use 1Password both on Mac & PC. The reason why I mention this is my school (and I know it isn't unique) is 'obsessed' with security, forcing the students to change their passwords every 60 days (even when this has been proven to be more insecure). Additionally I know that many campuses provide students with a copy of Norton AV (or McAfee, etc) to 'protect' them from viruses.



Maybe you guys could talk to some universities and get some nice contracts with them. You could explain how using 1Password (w/dropbox) is the most secure way to generate hard-to-guess passwords and store them safely.



Just a thought.

Nik

Thanks for the suggestion, Steven!

Ben

RIT may be interested in this as well.

[url]http://www.facebook.com/RITInfosec?ref=ts[/url]

1Jeff

I love this idea. I wish 1Password was everywhere, but quality over "get-it-out-the-door-now" mentality. That brings me to my point, I don't think Agile should do this until the Windows version of 1Password is in production. Figures are showing Macs to be the most popular laptop on the college campus (at least in America). The problem is, I see many more laptops running Windows unless I'm in the Mac Media Lab or near one of the arts classes. My university has a Mac lab, but the system of choice is Windows based PCs. I think it would be a better move to put an idea like this on the back burner to simmer until 1P for Windows is at production status. I think that's exactly what the Agile staffers would do anyways. Just my two cents.

stevenc317

Jeff,



I agree, while I use my MacBook Pro for most of my assignments, my law school requires us to use a proprietary application (logs all copy & paste, etc) for all of our reports and it is Windows only.

forumboy

just curious if you have a link to a study showing it's more insecure to change passwords every 2 months, or know why that is the case?



[quote name='stevenc317' timestamp='1279825980' post='7087']

my school (and I know it isn't unique) is 'obsessed' with security, forcing the students to change their passwords every 60 days (even when this has been proven to be more insecure).

[/quote]

khad

[quote name='forumboy' timestamp='1281578105' post='8324']

just curious if you have a link to a study showing it's more insecure to change passwords every 2 months, or know why that is the case?

[/quote]



I don't know that I would say it is LESS secure, but it certainly isn't worth the effort. The short version is that by the time you change your password, an attacker would have already used it. They don't wait weeks or months to use them. They use them immediately.



Perhaps this will shed some light:



http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf



Microsoft researcher Cormac Herley shows the true economics of burdening users with complex password policies:



[quote]In addition to overestimating benefits, advice almost always ignores the cost of user effort. The incremental cost of forcing users to choose an 8-character strong password, as opposed to allowing a 6-digit PIN, is hard to measure, but is certainly not zero. And ignoring it leads to a failure to understand the rational and predictable nature of user response.[/quote]



Skip to the conclusion if you are pressed for time. See also, my thoughts on password policies in [url="http://forum.agile.ws/index.php?/topic/1774-suggestions-how-secure-is-my-password/"]this other thread[/url]. Short version of that is: around 12 characters, all lowercase, no dictionary words.



I hope that helps (though it is a bit off topic). Cheers!