Re: Please do not change your password

["Doty, Timothy T." <tdoty () MST EDU>]

Google will give you a complete write up of the Apache incident. Yes, they
leveraged in via a XSS attack. But again, if cracking passwords has no
value, why did they bother to grab the list?

As to David's response: I never said that passwords should be a specific
length or complexity, I only observed that 8 characters (even if out of a
broad set that did not restrict to "pseudo-pronouncable") is little better
than plain text in the event of exposure of unsalted hash table. Are you
saying that this observation is incorrect?

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
> Sent: Wednesday, April 14, 2010 9:06 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> Hold on to the torches and pitchforks - I'm just posing this for
> discussion....
>
> But - in the case of "the Apache folks", how did the bad guys get the
> DB in the first place?  Did they go in through someone else's password?
> Or did they obtain the DB through some other means, (ie, going around
> the administrative password?)
>
> Operating under the premise that the DB was already protected by some
> sort of authentication mechanism - the bad guys had to gain access to
> the DB in order to work on it.....but was that through a cracked
> password?  How did they get in the front door?  (In many cases - we'll
> never know.....most places that are "compromised" will never divulge
> the real story behind the initial compromise - for obvious security
> reasons.)
>
> "Learn from yesterday, live for today, hope for tomorrow. The important
> thing is not to stop questioning." - Albert Einstein
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, Timothy T.
> Sent: Wednesday, April 14, 2010 7:55 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> You say that passwords are no longer cracked? Then read up on the
> compromise
> the Apache folks had where the database of (unsalted) hashed passwords
> was
> obtained by the hackers. That is only a single case, but it is very
> recent
> and IMO very relevant. Those 8-char passwords are little better than
> plain
> text in such a situation.
>
> If the bad guys "just worked around" passwords why would they care to
> obtain
> a hash list? The argument is short sighted and misses the value of
> defense
> in depth.
>
> Tim Doty
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
> > Sent: Wednesday, April 14, 2010 8:43 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Please do not change your password
> >
> > Have there been any studies recently that have identified the net
> > effects of "long passwords" or passphrases?....or complex passwords?
> > Before coming to higher ed, I came from the "sensitive" Fed sector -
> > and they used 8-char passwords that were generated for you -
> > upper/lower case, and one number, (and they used a cool little
> routine
> > in the password generator that made the passwords "pseudo-
> > pronounceable" so that they were easier to remember.)
> >
> > I also remember asking why they weren't required to use passwords
> that
> > were longer, more complex, etc - and the answer was: "Passwords keep
> > honest people honest - the vast majority (if not all) of compromised
> > accounts have not come about by the way of 'cracked passwords' - they
> > have come about by the capturing or surrendering of legitimate
> > passwords.  Captured through malware or bogus websites - Surrendered
> > through phishing or social engineering means."  I was skeptical until
> I
> > started doing some research on my own - and I couldn't find more than
> > 1-2 obscure instances where a password was actually 'cracked' - most
> > were cases where passwords were immaterial, and the system was
> > compromised by "going around the password" altogether.
> >
> > So - this does beg the question - even though longer passwords are
> > theoretically harder to "crack", who cares....the bad guys are just
> > going to go around them anyway....?
> >
> > Thoughts?  And thanks for the discussion....
> >
> > Michael
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig
> > Sent: Wednesday, April 14, 2010 7:27 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Please do not change your password
> >
> > Unlikely that it'll change the audit book.
> >
> > Nor should it, necessarily.  The study is really predicated on
> consumer
> > accounts, and doesn't address duty of care issues for data
> custodians,
> > among other things.  I've rarely seen that mentioned over the last
> five
> > months' discussion, since the paper was published.
> >
> > One particularly acute point on this topic is the paper's assertion
> > that financial fraud loses the use nothing.  While true for some
> > financial accounts situations for personal accounts, that is
> > demonstrably not true for US commercial online bank accounts (see
> > Krebsonsecurity.com for many examples), and as I recall isn't true
> for
> > all personal banking accounts in other countries.
> >
> > All that said, it's a goodish paper, and we've all known that
> passwords
> > are horrid for well over a decade, but substantial progress on
> password
> > replacement is pretty poor, overall.
> >
> >     -jml
> >
> >
> > -----Original Message-----
> > From: Justin Sherenco
> > Sent: 2010-04-14 08:04:59
> > To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
> > Cc:
> > Subject: [SECURITY] Please do not change your password
> >
> >
> > Hello,
> >
> > I came across an interesting article on password changes.  Author
> > Cormac
> > Herley of Microsoft makes a good case albeit just a cost-benefit
> > analysis.
> > I had to go back and think of why these types of policies were
> created
> > in
> > the first place.  I came to my own conclusion that they were created
> > before the days of complex password (passphrase) enforcement and the
> > ability to automatically lock out accounts after X amount of failed
> > log-in
> > attempts.
> >
> >
> >
> > Do you think he can convince the auditors?
> <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_
> > not
> > _change_your_password/?page=full>
> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_n
> > ot_
> > change_your_password/?page=full
> >
> >
> >
> > Regards,
> >
> > Justin
> >
> >
> >
> >
> >
> > -------------------------------------
> >
> > Justin Sherenco
> >
> > Security Analyst
> >
> > 734-487-8574
> >
> > Easten Michigan University
> >
> > http://it.emich.edu/security
> >
> >
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

Attachment: smime.p7s
Description: