Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passwords & Passphrases

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 20 Nov 2007 09:36:57 -0800
I'd like to add a couple of thoughts:

 

First, even if an attacker gains access to a system due to some other
weakness, weak passwords may allow him to keep access, escalate his
privileges or to gain access to another system within the same
organization.  It may not be a primary attack vector, but good password
policies are still important.  Of course, we should also be focusing on
patch schedules, user education, firewalls and other issues.

 

Second, the password security situation can be improved, with or without
changing your password requirements, by moving from crypt(3) passwords
to MD5 or Blowfish on Unix and by disabling LAN Manager hashes on
Windows.  These changes are transparent to the users and can make
passwords much harder to crack--unless the password is "monkey".  

 

Cheers,

 

Steven

 

Steven Alexander Jr.
Online Education Systems Manager
Merced College
3600 M Street
Merced, CA 95348-2898
(209) 384-6191

________________________________

From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] 
Sent: Monday, November 19, 2007 5:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

 

 

On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:

        Here is my question - does anyone have the data on how many
times a hack (attack) has occurred associated to breaking the "launch
codes" from outside of the organization?  The last information I gleaned
from the FBI reports (several years ago) indicated that 70 percent of
hackings (attacks) were internal.
        
        My most recent experience with intrusions has had nothing to do
with a compromised password, rather an exploit of some vunerability in
the OS, database, or application. 

I track these things, and I cannot recall the last time I saw any report
of an incident caused by a guessed password.  Most common incidents are
phishing, trojans, snooping, physical theft of sensitive media, and
remote exploitation of bugs.

 

People devote huge amounts of effort to passwords because it is one of
the few things they think they can control.  

 

Picking stronger passwords won't stop phishing.  It won't stop users
downloading trojans.  It won't stop capture of sensitive transmissions.
It won't bring back a stolen laptop (although if the laptop has proper
encryption it *might* protect the data).   And passwords won't ensure
that patches are in place but flaws aren't.

 

Creating and forcing strong password policies is akin to being the bosun
ensuring that everyone on the Titanic has locked their staterooms before
they abandon ship.  It doesn't stop the ship from sinking or save any
lives, but it sure does make you look like you're doing something
important.....
Previous By Date Next
Previous By Thread Next

Current thread: