Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Joseph Tam <tam () MATH UBC CA>
Date: Thu, 17 Apr 2014 23:37:55 -0700
Robert Meyers <REMeyers () MAIL WVU EDU> writes:
With all the conversation about the need for complex passwords, how many can honestly report that their institution has suffered a significant data incident because of a hack or brute force attack on user passwords? How many breaches have been reported in the edu community because a user password was too weak?
It depends on what you mean by weak. If you mean spectaculary weak, a few. It's usually the case of someone doing their own OS install and installing an account with password "123" or something like that. That is also the primary ingress method for people who reply to my security incident reports on their hosts doing ssh BFD attacks. However, to my knowledge, no one has brute forced our passwords from without, even though some users are still using old style 8-char Unix style crypt hashes. The ssh BFD attempts fill my logs, but it is more of a nuisance than a real threat. That being said, there are still cases where I still haven't found out how passwords were divulged, but nearly all the ones I have been able to find the reason for, it was from being phished. Joseph Tam <tam () math ubc ca>
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? David Walker (Apr 16)
- Re: Password change *recommended* -- RESULTS? Robert Meyers (Apr 17)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 17)
- Re: Password change *recommended* -- RESULTS? Joel L. Rosenblatt (Apr 17)
- Re: Password change *recommended* -- RESULTS? Williams, Charles (Apr 17)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 17)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Brad Judy (Apr 18)
- Re: Password change *recommended* -- RESULTS? David Walker (Apr 23)
- Re: Password change *recommended* -- RESULTS? Chris Green (Apr 24)