Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 19 Nov 2007 20:50:52 -0500
On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:
Here is my question - does anyone have the data on how many times a hack (attack) has occurred associated to breaking the "launch codes" from outside of the organization? The last information I gleaned from the FBI reports (several years ago) indicated that 70 percent of hackings (attacks) were internal. My most recent experience with intrusions has had nothing to do with a compromised password, rather an exploit of some vunerability in the OS, database, or application.
I track these things, and I cannot recall the last time I saw any report of an incident caused by a guessed password. Most common incidents are phishing, trojans, snooping, physical theft of sensitive media, and remote exploitation of bugs. People devote huge amounts of effort to passwords because it is one of the few things they think they can control. Picking stronger passwords won't stop phishing. It won't stop users downloading trojans. It won't stop capture of sensitive transmissions. It won't bring back a stolen laptop (although if the laptop has proper encryption it *might* protect the data). And passwords won't ensure that patches are in place but flaws aren't. Creating and forcing strong password policies is akin to being the bosun ensuring that everyone on the Titanic has locked their staterooms before they abandon ship. It doesn't stop the ship from sinking or save any lives, but it sure does make you look like you're doing something important.....
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
(Thread continues...)