Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Jere Retzer <retzerj () OHSU EDU>
Date: Sat, 28 Aug 2004 12:14:09 -0700
I really agree with Scott Bradner that you need to ask what is the gain for the pain? Put another, perhaps even broader context your policies really should relate in some fashion, hopefully explicitly to a risk analysis/risk management plan. As a senior IT manager or security administrator you have tools, assets and risks that you need to balance. Some of your most important assets include the goodwill of your institution's managers and end users. Unpopular policies use up this asset so need to be applied with care. You can lessen the impact of seemingly draconian policies if you can persuade that you are overcoming a serious risk, ie why we accepted the substantial security inconveniences imposed on air travel post 9/11. In the case of ensuring strong passwords, I think it's much more important enforce for exposed hosts and servers than it is for personal computers. Scanning personal computers seems intrusive and disrespectful. Yes, I agree that your policies should reserve your right to do this when required, but maintain you should limit its use. Using a net registration program and scanning for patches, trojans, virus protection upon registration seems like a good measure for personal computers that reduces the risk posed by these machines, especially when combined with intrusion detection and other tools. I think you also need to be careful of what messages you send relative to the use of "hacking" tools and respect for individual privacy. Your policies should include a prohibition against sniffers, scanners, password crackers, etc except where properly authorized and make a clear statement as to individual rights/expectation for privacy. Jere ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)