Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Jason Richardson <a00jer1 () WPO CSO NIU EDU>
Date: Thu, 26 Aug 2004 16:14:40 -0500
IMO, actively running LC or something else on the network to crack faculty/staff passwords is a pretty aggressive practice and I'm frankly surprised that the original poster's org gets away with it if they disclosed to everyone what they intended to do. Punishing them for not using a strong password is even more aggressive and I can't even imagine bringing that up with management here. We instituted higher complexity requirements and a self-service module early last year and we will be increasing those requirements again this year. --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
b.lucas () TCU EDU 8/26/2004 4:00:57 PM >>>
If you don't crack them regularly, you might consider it as long as you're going to do something with the data. You'll be surprised at how poor they are if you aren't doing any complexity enforcement. We've been cracking monthly for 14 months now followed by a targeted email urging them to change it and education about selecting a strong password. We have a complexity requirement and an improved self-service module about to kick in sometime next two weeks. Bryan Lucas Lead Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sweeny, Jonny Sent: Thursday, August 26, 2004 3:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Cracking & Consequences Do IT departments commonly try to crack their users' passwords? That's surprising/scary news to me... ~Jonny -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Thursday, August 26, 2004 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Cracking & Consequences We are looking for any advice on the consequences other institutions impose on faculty and staff when their password is cracked by IT. For instance, is it a zero-tolerance system where your password is automatically reset and you must show up at the Helpdesk to have it reset? Or, is it a graduated series of consequences, a la "Three Strikes and You're Out," e.g., disciplinary action, network restrictions, etc. Any other configurations? Anything anyone could provide would be helpful. Trying not to reinvent the wheel! Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Password Cracking & Consequences Jason Brooks (Aug 26)
- <Possible follow-ups>
- Re: Password Cracking & Consequences Sweeny, Jonny (Aug 26)
- Re: Password Cracking & Consequences CAROLE CARMODY (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Melissa Guenther (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
(Thread continues...)