Re: Interesting Research

["King, Ronald A." <raking () NSU EDU>]

Thank you all for responding. This is great info I will be sharing with the researcher, our IRB, our CIO and possibly 
legal.

Some quick replies to questions:

*         The IRB has yet to approve this research.

*         Using a tool to analyze a password to detect strength: the idea of the research is to see if training on 
strong passwords paid off. Such a tool may or may not work as I would think we would need to know the strength before 
and after the training.

*         I am not sure why they need username. I will follow up.

*         I hadn't thought of the privacy impact, but, now that I have, the risk has grown.

o   (I foresee) Then getting consent or warning the student ahead of time would logically lead to a student adapting 
momentarily and invalidating the research.

*         I do not know if the VCR/VPR is involved in this. Our CIO knows and is of the same mindset I am.

I still keep coming back to the password reuse. In my 3 months back here, I have talked with one student who's banking 
info was changed in our student system. Should this DB end up in the wrong hands, it will get worse.

Reading list (Thank you much for these!):
https://dl.acm.org/citation.cfm?id=1242661 (Microsoft password reuse, 2006)
https://www.blaseur.com/papers/chi16-pwperceptions.pdf, "Do Users' Perceptions of Password Security Match Reality?"
http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf, "The Security of Modern Password Expiration: An Algorithmic 
Framework and Empirical Analysis"
https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf, "Testing Metrics for Password Creation 
Policies by Attacking Large Sets of Revealed Passwords"
https://www.nsf.gov/bfa/dias/policy/human.jsp (NSF Human Use)
https://www.slideshare.net/JISC/password-lifespans-at-ucl-a-training-opportunity, (UCL in the UK sliding scale of 
password strength and renewal time frame)

Thanks again for all the valuable input!
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
Sent: Tuesday, April 2, 2019 4:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Interesting Research

Fellow security pros,

I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to 
self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The 
premise is to gauge whether students are actually adhering to suggested practices in password design.

My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with 
this kind of research and how you handled it.

While I see the value in the research, my security senses tell me students will be using their standard password they 
use for everything. Thus big risk.

Feel free to contact me directly.

Thank you,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]