Educause Security Discussion mailing list archives

Re: Password Cracking & Consequences

From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 26 Aug 2004 17:44:02 -0500

At 03:00 PM 8/26/2004, Jason Brooks wrote:

We are looking for any advice on the consequences other institutions impose
on faculty and staff when their password is cracked by IT.  For instance, is
it a zero-tolerance system where your password is automatically reset and
you must show up at the Helpdesk to have it reset?  Or, is it a graduated
series of consequences, a la "Three Strikes and You're Out,"  e.g.,
disciplinary action, network restrictions, etc.  Any other configurations?

Anything anyone could provide would be helpful.  Trying not to reinvent the
wheel!


Perhaps the question could be restated:

1. Are there password complexity standards at your institution?
2. How do you test the complexity?
3. Do you enforce the standards?
4. If so, how?

*Local* computer passwords are largely exempt from scrutiny at ISU. I am
coordinating a project that is attempting to bring minimum security
standards to student Windows systems. We've written an inspection program
which runs on student computers as part of network registration (netreg).

Among other things, it tests for weak passwords and null passwords; a
dictionary test is used. The students are told which accounts had weak
passwords. They are asked to fix the passwords and other reported security
holes before receiving a valid IP number.

The security standards we seek to implement are still voluntary. We hope to
enforce the standards during network registration in the future. If
enforcement of standards is approved, we would like to make admittance to
the network contingent on strong passwords, current service packs and
hotfixes and AV software.

Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.



Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Alan Amesbury (Aug 26)
- Re: Password Cracking & Consequences Jason Richardson (Aug 26)
- Re: Password Cracking & Consequences Jeff Giacobbe (Aug 26)
- Re: Password Cracking & Consequences Geoff Nathan (Aug 26)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Stephen Bernard (Aug 26)
- Re: Password Cracking & Consequences Ron Parker (Aug 26)
- Re: Password Cracking & Consequences Eric Pancer (Aug 26)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Michael Mills (Aug 26)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)

(Thread continues...)