Re: Password Cracking & Consequences

[Jason Richardson <a00jer1 () WPO CSO NIU EDU>]

IMO, actively running LC or something else on the network to crack
faculty/staff passwords is a pretty aggressive practice and I'm frankly
surprised that the original poster's org gets away with it if they
disclosed to everyone what they intended to do.  Punishing them for not
using a strong password is even more aggressive and I can't even imagine
bringing that up with management here.  We instituted higher complexity
requirements and a self-service module early last year and we will be
increasing those requirements again this year.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu


> > > b.lucas () TCU EDU 8/26/2004 4:00:57 PM >>>
If you don't crack them regularly, you might consider it as long as
you're going to do something with the data.  You'll be surprised at
how
poor they are if you aren't doing any complexity enforcement.  We've
been cracking monthly for 14 months now followed by a targeted email
urging them to change it and education about selecting a strong
password.

We have a complexity requirement and an improved self-service module
about to kick in sometime next two weeks.

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sweeny, Jonny
Sent: Thursday, August 26, 2004 3:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences


Do IT departments commonly try to crack their users' passwords?

That's surprising/scary news to me...

~Jonny

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
Sent: Thursday, August 26, 2004 3:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Cracking & Consequences

We are looking for any advice on the consequences other institutions
impose on faculty and staff when their password is cracked by IT.  For
instance, is it a zero-tolerance system where your password is
automatically reset and you must show up at the Helpdesk to have it
reset?  Or, is it a graduated series of consequences, a la "Three
Strikes and You're Out,"  e.g., disciplinary action, network
restrictions, etc.  Any other configurations?

Anything anyone could provide would be helpful.  Trying not to
reinvent
the wheel!

Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.