Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 27 Aug 2004 13:02:11 -0400
Michael Mills wrote:
To take another perspective on this issue I add that in effort to create an audit trail of users access to campus resources, for any number of reasons, it in imperative from not only a personal liability issue, but down to the campus's ability to enforce any kind of IT Security policy, NOONE must EVER know anyone else's password. Even if only to prove that a password is insecure. Imagine a scenario where the campus is under fire from the RIAA, and the university passes the responsibility over to the student in question. If that student can prove that other people have the ability to "crack" their password and also do so, on a regular basis, that student is let off the hook (barring any other circumstances) and the responsibility is placed right back on the university. Or another scenario, a staff/faculty member is identified to have attempted to access areas he/she does not have access to, so the university decides to let this person go. That person gets a lawyer and charges that on a regular basis the IT staff "cracks" their passwords and because of that how can it be proved 100% that that person is the guilty party?
Not to argue with what you're saying but the ugly truth is that a lot (most?) computer evidence is tainted that way. There are all kinds of arguments people can use: 1) Somebody must have spoofed my IP. 2) Somebody must have spoofed my MAC address. 3) I must (or do) have a trojan installed on my computer. 4) Somebody hacked my computer. 5) That stream of ones and zeros could have been tampered with in any of a thousand ways and places before it was put in law enforcement custody. 6) My system isn't patched so anyone could have broken in and done it. 7) The IT system wasn't patched so anyone could have broken in and done it. 8) I typed my password into an e-bay mailing a few weeks ago when it asked me to update my account. 9) The network wires aren't under constant surveillance so anyone can sniff my password or do a man in the middle attack and hijack my session. Unless you can collect network traffic on the local subnet, at the specific switch/dial-up port, at the same time a camera is aiming at the keyboard the evidence is questionable. If its local data being abused, you'd also need a keyboard logger. One could still argue about mysterious, disappearing kernel BOTS. :) I suspect a fair number of cases are made on a preponderance of questionable evidence convincing a non-technical jury or, perhaps, a scared defendant into making a deal. In any case, one could also argue that an IT department showing that they regularly tested passwords for strength may decrease the strength of the defendants' arguments in your scenarios.
With today's increased "phishing" methods of obtaining passwords you will want to but into effect a "No one will EVER under ANY circumstances ask for your password" policy.
The phishing attacks ask for passwords indirectly. That is, they want you to do something which, as a side effect, requires you to login. You can't directly attack that with such a policy without saying "don't type your password into a web site login screen or computer keyboard when asked for it". BTW. Another good policy would be "don't synchronize passwords amongst services. Else one successful phishing attack gains a user account on an unrelated system. I speak from experience. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Eric Pancer (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
(Thread continues...)