Re: Password Cracking & Consequences

[Jere Retzer <retzerj () OHSU EDU>]

I really agree with Scott Bradner that you need to ask what is the gain
for the pain? Put another, perhaps even broader context your policies
really should relate in some fashion, hopefully explicitly to a risk
analysis/risk management plan. As a senior IT manager or security
administrator you have tools, assets and risks that you need to balance.
Some of your most important assets include the goodwill of your
institution's managers and end users. Unpopular policies use up this
asset so need to be applied with care. You can lessen the impact of
seemingly draconian policies if you can persuade that you are overcoming
a serious risk, ie why we accepted the substantial security
inconveniences imposed on air travel post 9/11.

In the case of ensuring strong passwords, I think it's much more
important enforce for exposed hosts and servers than it is for personal
computers. Scanning personal computers seems intrusive and
disrespectful. Yes, I agree that your policies should reserve your right
to do this when required, but maintain you should limit its use. Using a
net registration program and scanning for patches, trojans, virus
protection upon registration seems like a good measure for personal
computers that reduces the risk posed by these machines, especially when
combined with intrusion detection and other tools.

I think you also need to be careful of what messages you send relative
to the use of "hacking" tools and respect for individual privacy. Your
policies should include a prohibition against sniffers, scanners,
password crackers, etc except where properly authorized and make a clear
statement as to individual rights/expectation for privacy.

Jere

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.