Re: Password Cracking & Consequences

[Ken Shaurette <kmshaurette () MPCCORP COM>]

I would concur with Jeff Giacobbe, especially on the point that if
strong passwords are desired make them strong when they enter them.
"make sure that users can't ever select weak passwords"

> From a security purist, the password cracking should never be done to
the point where the password can be displayed in clear text otherwise we
are creating as much a problem as we are trying to resolve.  With
cracking tools you are essentially eliminating authentication and most
importantly accountability.  

At any institution where passwords are cracked, if a user were found to
be doing illegal things (pornography, sharing music) under their
account, they would have the perfect defense, because someone else could
know their password. I'd sure state that someone else knew my password
and look it is common practice for the system administrators to look up
the passwords, I believe one of them must have told someone else my
password.

Yes the hackers are doing it, that does not make it right.  A better
solution is to use tools that can identify the strength of the password
without actually divulging its content to the tool user.  Better yet
follow Jeff's advice and implement controls, processes, procedures and
awareness that results in users never choosing a weak password in the
first place.  

Even if you crack the password and warn them, the same user is just as
likely to choose another weak one.  

Why?  Because they can.

> Ken
> ------
        MPC
        (P) (262) 523-3300 x60486
        (F) (208) 898-2383
> ------
> National Security Awareness Day - September 10, 2004 - Are you aware?
> ------
> ********************************************


-----Original Message-----
From: Jeff Giacobbe [mailto:giacobbej () MAIL MONTCLAIR EDU] 
Sent: Thursday, August 26, 2004 4:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences


Colleagues-

A "weak" password represents a security risk just like an unpatched
Windows machine represents a security risk. I do believe that IT
departments have a responsibility to take reasonable steps to ensure
that their computing environments are as secure as possible. Those steps
could/should include periodic system scanning (via Nessus or some other
vulnerability tool), proactive network monitoring to isolate problematic
machines, and password checking to ensure that there are no easily
"crackable" user or system passwords.

I would recommend, however, that the password checking occur at the
point at which a user is selecting their password (i.e. from a
password/account management portal) rather than "after the fact"
password cracking. Odds are that whomever would hijack a weak password
has already done so by the time IT has gotten around to doing it.

Put another way, if IT doesn't want users to have weak passwords, then
IT should make sure that users can't ever select weak passwords.
Penalizing users after the fact seems a little draconian.


Regards,

Jeff Giacobbe
Dir. of Systems, Security, and Networking
Montclair State University


Disclaimer: 26/8/2004

MPC Computers is providing the following information in compliance with federal regulations:
 
MPC Computers, LLC
906 E. Karcher Road
Nampa, Idaho 83687
1-888-224-4247
http://www.mpccorp.com

To discontinue receiving e-mail communications from MPC in the future, please go to: 
http://www.mpccorp.com/email/manage.html and follow the instructions.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.