Re: Password change *recommended* -- RESULTS?

[Joseph Tam <tam () MATH UBC CA>]

Robert Meyers <REMeyers () MAIL WVU EDU> writes:

> With all the conversation about the need for complex passwords, how
> many can honestly report that their institution has suffered a
> significant data incident because of a hack or brute force attack on
> user passwords?
>
> How many breaches have been reported in the edu community because a
> user password was too weak?

It depends on what you mean by weak.  If you mean spectaculary weak, a
few.  It's usually the case of someone doing their own OS install and
installing an account with password "123" or something like that.

That is also the primary ingress method for people who reply to my
security incident reports on their hosts doing ssh BFD attacks.

However, to my knowledge, no one has brute forced our passwords from
without, even though some users are still using old style 8-char
Unix style crypt hashes.  The ssh BFD attempts fill my logs, but it
is more of a nuisance than a real threat.

That being said, there are still cases where I still haven't found
out how passwords were divulged, but nearly all the ones I have been
able to find the reason for, it was from being phished.

Joseph Tam <tam () math ubc ca>