Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Ken Shaurette <kmshaurette () MPCCORP COM>
Date: Thu, 26 Aug 2004 16:32:40 -0600
I would concur with Jeff Giacobbe, especially on the point that if strong passwords are desired make them strong when they enter them. "make sure that users can't ever select weak passwords"
From a security purist, the password cracking should never be done to
the point where the password can be displayed in clear text otherwise we are creating as much a problem as we are trying to resolve. With cracking tools you are essentially eliminating authentication and most importantly accountability. At any institution where passwords are cracked, if a user were found to be doing illegal things (pornography, sharing music) under their account, they would have the perfect defense, because someone else could know their password. I'd sure state that someone else knew my password and look it is common practice for the system administrators to look up the passwords, I believe one of them must have told someone else my password. Yes the hackers are doing it, that does not make it right. A better solution is to use tools that can identify the strength of the password without actually divulging its content to the tool user. Better yet follow Jeff's advice and implement controls, processes, procedures and awareness that results in users never choosing a weak password in the first place. Even if you crack the password and warn them, the same user is just as likely to choose another weak one. Why? Because they can.
Ken ------
MPC (P) (262) 523-3300 x60486 (F) (208) 898-2383
------ National Security Awareness Day - September 10, 2004 - Are you aware? ------ ********************************************
-----Original Message----- From: Jeff Giacobbe [mailto:giacobbej () MAIL MONTCLAIR EDU] Sent: Thursday, August 26, 2004 4:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Cracking & Consequences Colleagues- A "weak" password represents a security risk just like an unpatched Windows machine represents a security risk. I do believe that IT departments have a responsibility to take reasonable steps to ensure that their computing environments are as secure as possible. Those steps could/should include periodic system scanning (via Nessus or some other vulnerability tool), proactive network monitoring to isolate problematic machines, and password checking to ensure that there are no easily "crackable" user or system passwords. I would recommend, however, that the password checking occur at the point at which a user is selecting their password (i.e. from a password/account management portal) rather than "after the fact" password cracking. Odds are that whomever would hijack a weak password has already done so by the time IT has gotten around to doing it. Put another way, if IT doesn't want users to have weak passwords, then IT should make sure that users can't ever select weak passwords. Penalizing users after the fact seems a little draconian. Regards, Jeff Giacobbe Dir. of Systems, Security, and Networking Montclair State University Disclaimer: 26/8/2004 MPC Computers is providing the following information in compliance with federal regulations: MPC Computers, LLC 906 E. Karcher Road Nampa, Idaho 83687 1-888-224-4247 http://www.mpccorp.com To discontinue receiving e-mail communications from MPC in the future, please go to: http://www.mpccorp.com/email/manage.html and follow the instructions. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Michael Mills (Aug 26)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 27)
(Thread continues...)