Re: Password Cracking & Consequences

[Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>]

Colleagues-

A "weak" password represents a security risk just like an unpatched
Windows machine represents a security risk. I do believe that IT
departments have a responsibility to take reasonable steps to ensure
that their computing environments are as secure as possible. Those steps
could/should include periodic system scanning (via Nessus or some other
vulnerability tool), proactive network monitoring to isolate problematic
machines, and password checking to ensure that there are no easily
"crackable" user or system passwords.

I would recommend, however, that the password checking occur at the
point at which a user is selecting their password (i.e. from a
password/account management portal) rather than "after the fact"
password cracking. Odds are that whomever would hijack a weak password
has already done so by the time IT has gotten around to doing it.

Put another way, if IT doesn't want users to have weak passwords, then
IT should make sure that users can't ever select weak passwords.
Penalizing users after the fact seems a little draconian.


Regards,

Jeff Giacobbe
Dir. of Systems, Security, and Networking
Montclair State University




CAROLE CARMODY wrote:
> What would be the circumstances under which IT would "crack" a faculty
> member's password. Unless there is a violation of the acceptable use
> policy or is it that the individual forgets the password?
>
> Carole Carmody
> Bloomfield College
>
> -----Original Message-----
> From: Sweeny, Jonny [mailto:jsweeny () INDIANA EDU]
> Sent: Thursday, August 26, 2004 4:25 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Cracking & Consequences
>
> Do IT departments commonly try to crack their users' passwords?
>
> That's surprising/scary news to me...
>
> ~Jonny
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
> Sent: Thursday, August 26, 2004 3:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Password Cracking & Consequences
>
> We are looking for any advice on the consequences other institutions
> impose
> on faculty and staff when their password is cracked by IT.  For
> instance, is
> it a zero-tolerance system where your password is automatically reset
> and
> you must show up at the Helpdesk to have it reset?  Or, is it a
> graduated
> series of consequences, a la "Three Strikes and You're Out,"  e.g.,
> disciplinary action, network restrictions, etc.  Any other
> configurations?
>
> Anything anyone could provide would be helpful.  Trying not to reinvent
> the
> wheel!
>
> Jason Brooks
>
> Jason Brooks
> Information Security Technician
> Longwood University
> 201 High Street
> Farmville, VA 23909
> (434) 395-2034
> mailto:brooksje () longwood edu
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> ********** Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.