Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Cracking & Consequences

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Thu, 26 Aug 2004 16:12:56 -0500
Sweeny, Jonny wrote:


Do IT departments commonly try to crack their users' passwords?

That's surprising/scary news to me...


I know some do, particularly those with traditionally open networks
(like universities).  The rationale is typically something like this:

       There's a pool of fairly talented, adept users, of which
       some are hostile (maybe not in the traditional sense, but
       they occasionally take actions which aren't in the best
       interests of the network and organization).  The safe
       assumption is that at least some of these hostile users
       will attempt to crack passwords gleaned from wherever they
       can get them (YP/NIS, SAM enumeration, whatever).

       You, as the IT staffer in charge of protecting the network,
       have a vested interest in knowing which accounts have weak
       passwords, but aren't so concerned that you patch passwd(1)
       to save a copy of each password used in a text file
       somewhere.  (Hey, I'm sure it's happened.)

       Your management is enlightened enough to understand your
       concerns, so they grant you permission to periodically
       attempt to crack passwords belonging to your users...
       which you then proceed to do.


In summary:  It's pretty much a given that someone's already cracking
passwords to your system(s).  Why shouldn't you?


--
Alan Amesbury
OITSEC, University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: