Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Thu, 26 Aug 2004 16:12:56 -0500
Sweeny, Jonny wrote:
Do IT departments commonly try to crack their users' passwords? That's surprising/scary news to me...
I know some do, particularly those with traditionally open networks (like universities). The rationale is typically something like this: There's a pool of fairly talented, adept users, of which some are hostile (maybe not in the traditional sense, but they occasionally take actions which aren't in the best interests of the network and organization). The safe assumption is that at least some of these hostile users will attempt to crack passwords gleaned from wherever they can get them (YP/NIS, SAM enumeration, whatever). You, as the IT staffer in charge of protecting the network, have a vested interest in knowing which accounts have weak passwords, but aren't so concerned that you patch passwd(1) to save a copy of each password used in a text file somewhere. (Hey, I'm sure it's happened.) Your management is enlightened enough to understand your concerns, so they grant you permission to periodically attempt to crack passwords belonging to your users... which you then proceed to do. In summary: It's pretty much a given that someone's already cracking passwords to your system(s). Why shouldn't you? -- Alan Amesbury OITSEC, University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Password Cracking & Consequences Jason Brooks (Aug 26)
- <Possible follow-ups>
- Re: Password Cracking & Consequences Sweeny, Jonny (Aug 26)
- Re: Password Cracking & Consequences CAROLE CARMODY (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Melissa Guenther (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
(Thread continues...)