Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>
Date: Thu, 26 Aug 2004 17:24:12 -0400
Colleagues- A "weak" password represents a security risk just like an unpatched Windows machine represents a security risk. I do believe that IT departments have a responsibility to take reasonable steps to ensure that their computing environments are as secure as possible. Those steps could/should include periodic system scanning (via Nessus or some other vulnerability tool), proactive network monitoring to isolate problematic machines, and password checking to ensure that there are no easily "crackable" user or system passwords. I would recommend, however, that the password checking occur at the point at which a user is selecting their password (i.e. from a password/account management portal) rather than "after the fact" password cracking. Odds are that whomever would hijack a weak password has already done so by the time IT has gotten around to doing it. Put another way, if IT doesn't want users to have weak passwords, then IT should make sure that users can't ever select weak passwords. Penalizing users after the fact seems a little draconian. Regards, Jeff Giacobbe Dir. of Systems, Security, and Networking Montclair State University CAROLE CARMODY wrote:
What would be the circumstances under which IT would "crack" a faculty member's password. Unless there is a violation of the acceptable use policy or is it that the individual forgets the password? Carole Carmody Bloomfield College -----Original Message----- From: Sweeny, Jonny [mailto:jsweeny () INDIANA EDU] Sent: Thursday, August 26, 2004 4:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Cracking & Consequences Do IT departments commonly try to crack their users' passwords? That's surprising/scary news to me... ~Jonny -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Thursday, August 26, 2004 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Cracking & Consequences We are looking for any advice on the consequences other institutions impose on faculty and staff when their password is cracked by IT. For instance, is it a zero-tolerance system where your password is automatically reset and you must show up at the Helpdesk to have it reset? Or, is it a graduated series of consequences, a la "Three Strikes and You're Out," e.g., disciplinary action, network restrictions, etc. Any other configurations? Anything anyone could provide would be helpful. Trying not to reinvent the wheel! Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Password Cracking & Consequences Jason Brooks (Aug 26)
- <Possible follow-ups>
- Re: Password Cracking & Consequences Sweeny, Jonny (Aug 26)
- Re: Password Cracking & Consequences CAROLE CARMODY (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Melissa Guenther (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
(Thread continues...)