Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Wayne Wilson <wwilson () UMICH EDU>
Date: Fri, 27 Aug 2004 09:13:19 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Bradner wrote: | what is the threat model that leads to teh IT department cracking passwords? | ..... I was just about to ask a related question, What do the data show about how often 'crackable passwords' get compromised in production systems? The reason I need answers to this question is to perform a risk analysis so that the security trade-off's can make sense to users/managers. We are increasingly being asked serious questions about the rapidly increasing cost of managing the distributed computer networks that we have built. It would be good to have some evidence. Yes, I subscribe to many lists and have built quite a stock anecdotal stories. When I say evidence, I mean more in the fashion of what my clinical and research customers in the Medical School mean, when they say evidence based medicine. One place such evidence would be desireable is in the area of formulating complexity rules. Another place the evidence would be extremely useful is in setting the time interval for password aging. That is, it would be nice to know how long a password remains 'good' before it has to be changed. All of which is to say that once you have the threat model, you then need some evidence upon which to make a risk evaluation and perform the trade-offs amongst the various dimensions. | | far better to force good passwords when the user sets them | This is something that I can agree with depending upon the end user cost of the complexity rules (which is why one needs to know just how complex ~ is enough to reduce the risk), because the implementation cost for the IT department is close to zero (caveat here about increased help desk activity). In any risk trade-off, when the implementation costs are low or zero, the threat doesn't have to be very high in order to make decision. In fact, if the costs truely are close to zero, then perhaps no analysis at all is necessary? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBLzNvY+HG7UEwVGERAnOzAJwKAx0boKOTOe7YZXLO850bMwFRygCeNqBY yIdqj7jdTA27ZJW8CYynE3k= =97MV -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Ken Shaurette (Aug 26)
- Re: Password Cracking & Consequences Wayne J. Hauber (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Weeks (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Michael Mills (Aug 26)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
(Thread continues...)