Re: SECURITY Digest - 1 Apr 2019 to 2 Apr 2019 - Special issue (#2019-56)

[Kristi Olson <olsokris () ISU EDU>]

I to would also say no.  Just think of the liability if such a file were
found.    I wonder if they could get a score on the complexity of the
password and store that  rather then a password itself.



On Tue, Apr 2, 2019 at 3:35 PM SECURITY automatic digest system <
LISTSERV () listserv educause edu> wrote:

> There are 10 messages totalling 10448 lines in this issue.
>
> Topics in this special issue:
>
>   1. Interesting Research (10)
>
> ----------------------------------------------------------------------
>
> Date:    Tue, 2 Apr 2019 20:01:03 +0000
> From:    "King, Ronald A." <raking () NSU EDU>
> Subject: Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is "(heck) no," but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu/>
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 20:14:37 +0000
> From:    Brad Judy <brad.judy () CU EDU>
> Subject: Re: Interesting Research
>
> Given the popularity of password reuse, I think there is the potential for
> ethical and security concerns in this research. Have they run it by the
> Institutional review board yet? Human subject research that potentially
> puts passwords at risk that might be used for a variety of personal,
> financial, social, etc. purposes needs to have appropriate controls and
> monitoring.
>
> How would they be incentivizing students to use this portal?
>
> Brad Judy
>
> Information Security Officer
> Office of Information Security
> University of Colorado
> 1800 Grant Street, Suite 300
> Denver, CO  80203
> Office: (303) 860-4293
> Fax: (303) 860-4302
> www.cu.edu<http://www.cu.edu/>
>
> [cu-logo_fl]
>
>
> From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> "King, Ronald A." <raking () NSU EDU>
> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Tuesday, April 2, 2019 at 2:11 PM
> To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is “(heck) no,” but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu/>
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 20:20:09 +0000
> From:    "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
> Subject: Re: Interesting Research
>
> I suggest that the analysis of the chosen password be done at the time it
> is set before the password is protected.  It requires that the collection
> tool be more complicated, but the dataset would be too dangerous left in
> clear text.
>
>
> *        Allow the user to set any password they like
>
> *        Apply any 'password strength algorithm' that would usually be
> applied before allowing the password
>
> *        Record the results of the strength algorithm
>
> *        Protect the chosen password as it is stored
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
> Sent: Tuesday, April 02, 2019 3:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Interesting Research
>
>
> **** EXTERNAL EMAIL ****
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is "(heck) no," but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu_&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=9KkXBqRl0WZrydfb0oXt6rX5EwNiz_sQnNTR2sMHlgI&s=k0Ji8B4x7IaVr2LuFwcbBGeopwPAXMktXW9DyVdR6BE&e=
> >
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 13:23:53 -0700
> From:    Hiram Wong <hiram.wong () DOMAIL MARICOPA EDU>
> Subject: Re: Interesting Research
>
> Hi Ron,
>
> Another concern is liability issues if the information collected is
> compromised.  You may want to run this by you Legal Counsel and Risk
> Management.
>
> Hiram
>
> On Tue, Apr 2, 2019 at 1:14 PM Brad Judy <brad.judy () cu edu> wrote:
>
> > Given the popularity of password reuse, I think there is the potential
> for
> > ethical and security concerns in this research. Have they run it by the
> > Institutional review board yet? Human subject research that potentially
> > puts passwords at risk that might be used for a variety of personal,
> > financial, social, etc. purposes needs to have appropriate controls and
> > monitoring.
> >
> >
> >
> > How would they be incentivizing students to use this portal?
> >
> >
> >
> > Brad Judy
> >
> >
> >
> > Information Security Officer
> >
> > Office of Information Security
> >
> > University of Colorado
> > 1800 Grant Street, Suite 300
> > Denver, CO  80203
> >
> > Office: (303) 860-4293
> >
> > Fax: (303) 860-4302
> >
> > www.cu.edu
> >
> >
> >
> > [image: cu-logo_fl]
> >
> >
> >
> >
> >
> > *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> > "King, Ronald A." <raking () NSU EDU>
> > *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > *Date: *Tuesday, April 2, 2019 at 2:11 PM
> > *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > *Subject: *[SECURITY] Interesting Research
> >
> >
> >
> > Fellow security pros,
> >
> >
> >
> > I have an interesting research request come in my inbox today. A
> > researcher wants to setup a portal for students to self-register with a
> > username and password. The kicker is passwords will be stored in plain
> text
> > and collected. The premise is to gauge whether students are actually
> > adhering to suggested practices in password design.
> >
> >
> >
> > My first reaction is “(heck) no,” but I realize I may be overreacting.
> So,
> > I decided to see if anyone has dealt with this kind of research and how
> you
> > handled it.
> >
> >
> >
> > While I see the value in the research, my security senses tell me
> students
> > will be using their standard password they use for everything. Thus big
> > risk.
> >
> >
> >
> > Feel free to contact me directly.
> >
> >
> >
> > Thank you,
> >
> > Ron
> >
> >
> >
> > *Ronald King*
> >
> > *Chief Information Security Officer*
> >
> >
> >
> > *Office of Information Technology*
> >
> > (757) 823-2916 (Office)
> >
> > raking () nsu edu
> >
> > www.nsu.edu
> >
> > @NSUCISO (Twitter)
> >
> > [image: NSU_logo_horiz_tag_4c - Smaller]
>
>
> --
> [image: eSig Logo]
> Hiram Wong, CISA, CISM
> Internal Audit
> 2411 West 14th Street, Tempe AZ 85281
> phone | 480-731-8827
> email | @domail.maricopa.edu
> website | https://www.maricopa.edu
> [image: eSig facebook] <https://www.facebook.com/maricopa.edu>[image: eSig
> twitter] <https://twitter.com/mcccd>[image: eSig linkedin]
> <https://www.linkedin.com/company/maricopa-community-colleges>[image: eSig
> youtube] <https://www.youtube.com/user/themcccdEDU>[image: eSig instagram]
> <https://instagram.com/maricopacc/>
>
>
> [image: facebook] <http://www.facebook.com/maricopa.edu>
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 16:27:35 -0400
> From:    Gael Frouin <gfrouin () BERKLEE EDU>
> Subject: Re: Interesting Research
>
> Instead of storing the password in plain text, wouldn't it be better to run
> the quality checks on the password upon registration of the account (or
> password change)?
> If your quality rules are defined and assess prior to storage, you would
> eliminate the risk of insecure storage while maintaining the ability to
> report on the password quality criteria that were defined.
> Gaël
>
> On Tue, Apr 2, 2019 at 16:24 Hiram Wong <hiram.wong () domail maricopa edu>
> wrote:
>
> > Hi Ron,
> >
> > Another concern is liability issues if the information collected is
> > compromised.  You may want to run this by you Legal Counsel and Risk
> > Management.
> >
> > Hiram
> >
> > On Tue, Apr 2, 2019 at 1:14 PM Brad Judy <brad.judy () cu edu> wrote:
> >
> > > Given the popularity of password reuse, I think there is the potential
> > > for ethical and security concerns in this research. Have they run it by
> the
> > > Institutional review board yet? Human subject research that potentially
> > > puts passwords at risk that might be used for a variety of personal,
> > > financial, social, etc. purposes needs to have appropriate controls and
> > > monitoring.
> > >
> > >
> > >
> > > How would they be incentivizing students to use this portal?
> > >
> > >
> > >
> > > Brad Judy
> > >
> > >
> > >
> > > Information Security Officer
> > >
> > > Office of Information Security
> > >
> > > University of Colorado
> > > 1800 Grant Street, Suite 300
> > > <
> https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g
> > > Denver, CO  80203
> > > <
> https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g
> > > <
> https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g
> > > Office: (303
> > > <
> https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g
> > )
> > > 860-4293
> > >
> > > Fax: (303) 860-4302
> > >
> > > www.cu.edu
> > >
> > >
> > >
> > > [image: cu-logo_fl]
> > >
> > >
> > >
> > >
> > >
> > > *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> > > "King, Ronald A." <raking () NSU EDU>
> > > *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > > *Date: *Tuesday, April 2, 2019 at 2:11 PM
> > > *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > > *Subject: *[SECURITY] Interesting Research
> > >
> > >
> > >
> > > Fellow security pros,
> > >
> > >
> > >
> > > I have an interesting research request come in my inbox today. A
> > > researcher wants to setup a portal for students to self-register with a
> > > username and password. The kicker is passwords will be stored in plain
> text
> > > and collected. The premise is to gauge whether students are actually
> > > adhering to suggested practices in password design.
> > >
> > >
> > >
> > > My first reaction is “(heck) no,” but I realize I may be overreacting.
> > > So, I decided to see if anyone has dealt with this kind of research and
> how
> > > you handled it.
> > >
> > >
> > >
> > > While I see the value in the research, my security senses tell me
> > > students will be using their standard password they use for everything.
> > > Thus big risk.
> > >
> > >
> > >
> > > Feel free to contact me directly.
> > >
> > >
> > >
> > > Thank you,
> > >
> > > Ron
> > >
> > >
> > >
> > > *Ronald King*
> > >
> > > *Chief Information Security Officer*
> > >
> > >
> > >
> > > *Office of Information Technology*
> > >
> > > (757) 823-2916 (Office)
> > >
> > > raking () nsu edu
> > >
> > > www.nsu.edu
> > >
> > > @NSUCISO (Twitter)
> > >
> > > [image: NSU_logo_horiz_tag_4c - Smaller]
> >
> >
> > --
> > [image: eSig Logo]
> > Hiram Wong, CISA, CISM
> > Internal Audit
> > 2411 West 14th Street, Tempe AZ 85281
> > <
> https://maps.google.com/?q=2411+West+14th+Street,+Tempe+AZ+85281&entry=gmail&source=g
> > phone | 480-731-8827
> > email | @domail.maricopa.edu
> > website | https://www.maricopa.edu
> > [image: eSig facebook] <https://www.facebook.com/maricopa.edu>[image:
> > eSig twitter] <https://twitter.com/mcccd>[image: eSig linkedin]
> > <https://www.linkedin.com/company/maricopa-community-colleges>[image:
> > eSig youtube] <https://www.youtube.com/user/themcccdEDU>[image: eSig
> > instagram] <https://instagram.com/maricopacc/>
> >
> >
> > [image: facebook] <http://www.facebook.com/maricopa.edu>
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 20:42:43 +0000
> From:    "Albrecht, Travis" <albrecht () UWGB EDU>
> Subject: Re: Interesting Research
>
> If the goal is to "gauge whether students are actually adhering to
> suggested practices in password design", why capture username at all?
>
> Travis Albrecht
> INFORMATION TECHNOLOGY SECURITY OFFICER
>
> ............................................................................................
> Information Technology Division
> UW-Green Bay, 2420 Nicolet Drive, Green Bay, WI 54311
> tel: (920) 465-2974  |  e-mail: albrecht () uwgb edu<mailto:albrecht () uwgb edu
> >
>
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
> Sent: Tuesday, April 2, 2019 3:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is "(heck) no," but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu/>
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 16:56:57 -0400
> From:    "Laverty, Patrick" <patrick_laverty () BROWN EDU>
> Subject: Re: Interesting Research
>
> I would also say to not participate in this research.
>
> If you really want to test whether your students are adhering, then do some
> password cracking of the stored hashes. Or at a minimum, hash some really
> weak passwords, and compare those hashes to what your students are using.
> And if you want to know if some of your students have chosen weak
> passwords, the answer is yes. :)
>
>
>
> On Tue, Apr 2, 2019 at 4:11 PM King, Ronald A. <raking () nsu edu> wrote:
>
> > Fellow security pros,
> >
> >
> >
> > I have an interesting research request come in my inbox today. A
> > researcher wants to setup a portal for students to self-register with a
> > username and password. The kicker is passwords will be stored in plain
> text
> > and collected. The premise is to gauge whether students are actually
> > adhering to suggested practices in password design.
> >
> >
> >
> > My first reaction is “(heck) no,” but I realize I may be overreacting.
> So,
> > I decided to see if anyone has dealt with this kind of research and how
> you
> > handled it.
> >
> >
> >
> > While I see the value in the research, my security senses tell me
> students
> > will be using their standard password they use for everything. Thus big
> > risk.
> >
> >
> >
> > Feel free to contact me directly.
> >
> >
> >
> > Thank you,
> >
> > Ron
> >
> >
> >
> > *Ronald King*
> >
> > *Chief Information Security Officer*
> >
> >
> >
> > *Office of Information Technology*
> >
> > (757) 823-2916 (Office)
> >
> > raking () nsu edu
> >
> > www.nsu.edu
> >
> > @NSUCISO (Twitter)
> >
> > [image: NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 20:59:38 +0000
> From:    "Barton, Robert W." <bartonrt () LEWISU EDU>
> Subject: Re: Interesting Research
>
> Always error on the side of paranoia.  Your gut feels are good.
>
> Robert W. Barton
> Executive Director of Information Security and Policy
> Lewis University
> One University Parkway
> Romeoville, IL  60446-2200
> 815-836-5663
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laverty, Patrick
> Sent: Tuesday, April 2, 2019 3:57 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Interesting Research
>
> I would also say to not participate in this research.
>
> If you really want to test whether your students are adhering, then do
> some password cracking of the stored hashes. Or at a minimum, hash some
> really weak passwords, and compare those hashes to what your students are
> using. And if you want to know if some of your students have chosen weak
> passwords, the answer is yes. :)
>
>
>
> On Tue, Apr 2, 2019 at 4:11 PM King, Ronald A. <raking () nsu edu<mailto:
> raking () nsu edu>> wrote:
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is “(heck) no,” but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu/>
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
>
> This message (including any attachments) is intended only for
> the use of the individual or entity to which it is addressed and
> may contain information that is non-public, proprietary,
> privileged, confidential, and exempt from disclosure under
> applicable law or may constitute as attorney work product.
> If you are not the intended recipient, you are hereby notified
> that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone at
> (815)-836-5950 and
> (i) destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication.
>
> Thank you.
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 21:21:21 +0000
> From:    Greg Williams <gwillia5 () UCCS EDU>
> Subject: Re: Interesting Research
>
> Microsoft did some similar type of research regarding password reuse back
> in 2006.  I have my students read this paper for my courses. They had 544k
> users opt in.  They took the Microsoft Live Toolbar and it hashed the
> user's password on any site they visited.  If they accessed another site
> and the password had the same hash, it would report the password reuse.  No
> data was ever stored at Microsoft except how many times a password was
> reused and on how many different sites.  You can read the paper, and you
> already knew that a typical user only has 5 to 6 unique passwords for 30 or
> so sites.  This is obviously different now, 13 years later.
>
> I agree with all the other comments, but you could ask the student to look
> at the research paper and see how they could improve their research methods
> by not storing the password as there are so many concerns with this.
>
> The paper is at: https://dl.acm.org/citation.cfm?id=1242661
>
> Greg Williams, ME
> Director of Operations
> Office of Information Technology
> Lecturer
> Department of Computer Science
>
> University of Colorado Colorado Springs
> 1420 Austin Bluffs Parkway, (EPC 136A)
> Colorado Springs, CO 80918
> Phone: (719) 255-3292
> Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<
> https://uccs.webex.com/meet/gregwilliams>
> www.uccs.edu<http://www.uccs.edu/>
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
> Sent: Tuesday, April 2, 2019 2:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is "(heck) no," but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0
> >
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> Date:    Tue, 2 Apr 2019 21:25:07 +0000
> From:    Ashlar Trystan <atrystan () UW EDU>
> Subject: Re: Interesting Research
>
> That article was fascinating, thanks for sharing.
>
> --
> Ashlar Trystan
> Technology Systems Specialist
> UW Learning Technologies
> Academic & Student Affairs
> Pronouns: They/Their
>
> Mail: Box 353080
> Odegaard Library, Room 240B
> Street: 4060 George Washington Lane NE, Seattle, WA, 98105
> 206-221-4889
> atrystan () uw edu<mailto:atrystan () uw edu>
>
> [cid:image002.png@01D24AE3.CDB4B750]
>
>
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Williams
> Sent: Tuesday, April 2, 2019 2:21 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Interesting Research
>
> Microsoft did some similar type of research regarding password reuse back
> in 2006.  I have my students read this paper for my courses. They had 544k
> users opt in.  They took the Microsoft Live Toolbar and it hashed the
> user's password on any site they visited.  If they accessed another site
> and the password had the same hash, it would report the password reuse.  No
> data was ever stored at Microsoft except how many times a password was
> reused and on how many different sites.  You can read the paper, and you
> already knew that a typical user only has 5 to 6 unique passwords for 30 or
> so sites.  This is obviously different now, 13 years later.
>
> I agree with all the other comments, but you could ask the student to look
> at the research paper and see how they could improve their research methods
> by not storing the password as there are so many concerns with this.
>
> The paper is at: https://dl.acm.org/citation.cfm?id=1242661
>
> Greg Williams, ME
> Director of Operations
> Office of Information Technology
> Lecturer
> Department of Computer Science
>
> University of Colorado Colorado Springs
> 1420 Austin Bluffs Parkway, (EPC 136A)
> Colorado Springs, CO 80918
> Phone: (719) 255-3292
> Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<
> https://uccs.webex.com/meet/gregwilliams>
> www.uccs.edu<http://www.uccs.edu/>
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On
> Behalf Of King, Ronald A.
> Sent: Tuesday, April 2, 2019 2:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
> My first reaction is "(heck) no," but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0
> >
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]
>
> ------------------------------
>
> End of SECURITY Digest - 1 Apr 2019 to 2 Apr 2019 - Special issue
> (#2019-56)
>
> ****************************************************************************


-- 
Kristi Olson
Director Information Security  -  Information Technology Services
Idaho State University
olsokris () isu edu
208-282-3129
http://www.isu.edu
Discover Opportunity