Re: Password Cracking & Consequences

[Scott Bradner <sob () HARVARD EDU>]

what is the threat model that leads to teh IT department cracking passwords?

if you make the password file hard to get (i.e. restricted access,
if someone can override that you have a rather more basic problem that
making sure that people have good passwords will not solve) and you
auto lockout (for some period of time) on multiple failed login
attempts (7 or so is a good number of you want to encurrage people
to use different passwords on different machines - 3 would ensure that
people used the same password on all machines or to write down the
machine/password combos)  I do not see that having the IT department
run a password cracker does all that much good and the bad taste
that people will have over it being done (and the enabling of a strong
defense that someone cought doing something bad that has already been
mentioned) seems to argue that its, in general, a bad ide

far better to force good passwords when the user sets them

Scott

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.