Educause Security Discussion mailing list archives
Re: Passphrases v Password
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Sat, 6 Jul 2013 00:04:13 +0000
Real-world attackers do crack passwords. For instance, the South Carolina Department of Revenue in late 2012. In that incident, the attackers probably got their initial access via a phishing attack but used password cracking to gain access to additional systems. Mandiant did a report on the incident: http://docs.ismgcorp.com/files/external/MANDIANT_Public_IR_Report_Dept_of_Revenue_11202012.pdf There have also been some high-profile incidents involving hashes stolen from websites (e.g. LinkedIn). There is little point in stealing hashes if you don't intend to crack them. In general, attackers will do what works. I agree with moving toward two-factor authentication. In many cases, e.g. any Windows system, it's too difficult to get users to pick passwords that are not practically crackable. Steven ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Rich Graves [rgraves () CARLETON EDU] Sent: Friday, July 05, 2013 12:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passphrases v Password Is this driven by a specific external requirement? Unless your current passwords are laughably bad [1], I don't think this should be a priority. Passwords are stolen by malware and phishing, not cracking. To protect against sniffing attacks, use later versions of signed CIFS protocols. I'd advise you to leave passwords alone and try to get to "2-step verification" where it matters. Use 2-factor to protect the highest risk assets, but the "remember this device" strategy employed by Google, Facebook, Evernote, Amazon, DropBox, and many banks is pretty good. [1] Until 2006, Carleton required passwords of exactly 8 characters, with no other checking. Help desk representatives were instructed to set passwords to "carleton" and politely ask users to change them later. A large percentage of users did not. This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
- Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
- Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
- Re: Passphrases v Password Mike Osterman (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password scott hollatz (Jul 05)
- Re: Passphrases v Password Ray McClure (Jul 06)
- Re: Passphrases v Password Tim Doty (Jul 08)
- Re: Passphrases v Password randy (Jul 08)
- Re: Passphrases v Password scott hollatz (Jul 05)