Educause Security Discussion mailing list archives
Re: Please do not change your password
From: "Doty, Timothy T." <tdoty () MST EDU>
Date: Wed, 14 Apr 2010 09:12:06 -0500
Google will give you a complete write up of the Apache incident. Yes, they leveraged in via a XSS attack. But again, if cracking passwords has no value, why did they bother to grab the list? As to David's response: I never said that passwords should be a specific length or complexity, I only observed that 8 characters (even if out of a broad set that did not restrict to "pseudo-pronouncable") is little better than plain text in the event of exposure of unsalted hash table. Are you saying that this observation is incorrect? Tim Doty
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Wednesday, April 14, 2010 9:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password Hold on to the torches and pitchforks - I'm just posing this for discussion.... But - in the case of "the Apache folks", how did the bad guys get the DB in the first place? Did they go in through someone else's password? Or did they obtain the DB through some other means, (ie, going around the administrative password?) Operating under the premise that the DB was already protected by some sort of authentication mechanism - the bad guys had to gain access to the DB in order to work on it.....but was that through a cracked password? How did they get in the front door? (In many cases - we'll never know.....most places that are "compromised" will never divulge the real story behind the initial compromise - for obvious security reasons.) "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, Timothy T. Sent: Wednesday, April 14, 2010 7:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password You say that passwords are no longer cracked? Then read up on the compromise the Apache folks had where the database of (unsalted) hashed passwords was obtained by the hackers. That is only a single case, but it is very recent and IMO very relevant. Those 8-char passwords are little better than plain text in such a situation. If the bad guys "just worked around" passwords why would they care to obtain a hash list? The argument is short sighted and misses the value of defense in depth. Tim Doty-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Wednesday, April 14, 2010 8:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password Have there been any studies recently that have identified the net effects of "long passwords" or passphrases?....or complex passwords? Before coming to higher ed, I came from the "sensitive" Fed sector - and they used 8-char passwords that were generated for you - upper/lower case, and one number, (and they used a cool littleroutinein the password generator that made the passwords "pseudo- pronounceable" so that they were easier to remember.) I also remember asking why they weren't required to use passwordsthatwere longer, more complex, etc - and the answer was: "Passwords keep honest people honest - the vast majority (if not all) of compromised accounts have not come about by the way of 'cracked passwords' - they have come about by the capturing or surrendering of legitimate passwords. Captured through malware or bogus websites - Surrendered through phishing or social engineering means." I was skeptical untilIstarted doing some research on my own - and I couldn't find more than 1-2 obscure instances where a password was actually 'cracked' - most were cases where passwords were immaterial, and the system was compromised by "going around the password" altogether. So - this does beg the question - even though longer passwords are theoretically harder to "crack", who cares....the bad guys are just going to go around them anyway....? Thoughts? And thanks for the discussion.... Michael -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: Wednesday, April 14, 2010 7:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password Unlikely that it'll change the audit book. Nor should it, necessarily. The study is really predicated onconsumeraccounts, and doesn't address duty of care issues for datacustodians,among other things. I've rarely seen that mentioned over the lastfivemonths' discussion, since the paper was published. One particularly acute point on this topic is the paper's assertion that financial fraud loses the use nothing. While true for some financial accounts situations for personal accounts, that is demonstrably not true for US commercial online bank accounts (see Krebsonsecurity.com for many examples), and as I recall isn't trueforall personal banking accounts in other countries. All that said, it's a goodish paper, and we've all known thatpasswordsare horrid for well over a decade, but substantial progress onpasswordreplacement is pretty poor, overall. -jml -----Original Message----- From: Justin Sherenco Sent: 2010-04-14 08:04:59 To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: [SECURITY] Please do not change your password Hello, I came across an interesting article on password changes. Author Cormac Herley of Microsoft makes a good case albeit just a cost-benefit analysis. I had to go back and think of why these types of policies werecreatedin the first place. I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement and the ability to automatically lock out accounts after X amount of failed log-in attempts. Do you think he can convince the auditors?<http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not _change_your_password/?page=full>http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_ change_your_password/?page=full Regards, Justin ------------------------------------- Justin Sherenco Security Analyst 734-487-8574 Easten Michigan University http://it.emich.edu/security -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Attachment:
smime.p7s
Description:
Current thread:
- Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
(Thread continues...)