Re: Interesting Reseach

[Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>]

Dear Ron,

I agree with your first reaction.

Others have suggested hash-and-analyze-then-store-encrypted; an extra 
wrinkle on this would be to suggest the researcher download the hashes of
compromised passwords from https://haveibeenpwned.com/, and analyze to see 
if the students are not only reusing, but using already-compromised creds.

Best,
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

> ----------------------------------------------------------------------
>
> Date:    Tue, 2 Apr 2019 20:01:03 +0000
> From:    "King, Ronald A." <raking () NSU EDU>
> Subject: Interesting Research
>
> Fellow security pros,
>
> I have an interesting research request come in my inbox today. A 
> researcher wants to setup a portal for students to self-register with a 
> username and password. The kicker is passwords will be stored in plain 
> text and collected. The premise is to gauge whether students are 
> actually adhering to suggested practices in password design. 
>
> My first reaction is "(heck) no," but I realize I may be overreacting. 
> So, I decided to see if anyone has dealt with this kind of research and 
> how you handled it.
>
> While I see the value in the research, my security senses tell me 
> students will be using their standard password they use for everything. 
> Thus big risk.
>
> Feel free to contact me directly.
>
> Thank you,
> Ron
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-2916 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu/>
> @NSUCISO (Twitter)
> [NSU_logo_horiz_tag_4c - Smaller]