Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Ron Parker <rparker () BRAZOSPORT EDU>
Date: Thu, 26 Aug 2004 17:07:32 -0500
On Thu, 26 Aug 2004, Jason Richardson wrote:
IMO, actively running LC or something else on the network to crack faculty/staff passwords is a pretty aggressive practice and I'm frankly surprised that the original poster's org gets away with it if they disclosed to everyone what they intended to do. Punishing them for not using a strong password is even more aggressive and I can't even imagine bringing that up with management here. We instituted higher complexity requirements and a self-service module early last year and we will be increasing those requirements again this year. --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
From a network security standpoint, this seems like pretty standard
countermeasures to me. I consider this to be the network security equivalent of physical campus security rattling doorknobs at night to see if the door is locked. A poor password is an unlocked door. If you want to see something scary, do a password crack and see how many of your faculty/staff/administrators with access to HIGHLY sensitive data are using ridiculously insecure passwords. I've had several security incidents that started with such poor passwords and other poor security practices. I've never "punished" anyone for a bad password. I've considered asking for the power but I don't think it is appropriate in our collegial environment. However, I have definitely talked to a supervisor or two after repeated suggestions for better passwords to an individual fell on deaf ears. In my case, I don't enjoy being the one to have to deal with these security incidents. My management backs me on that. I can guarantee that they will back me if I tell them I'm trying to keep us off the front pages of the newspapers. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Melissa Guenther (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Michael Mills (Aug 26)
(Thread continues...)