Re: Password Cracking & Consequences

["Lucas, Bryan" <b.lucas () TCU EDU>]

1. Yes.
2. We use LC5
3. Yes (in the next few weeks it goes live)
4. With Anixis, their PPE and APR products.  Very cost effective and
work very will for Windows/AD environments.

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber
Sent: Thursday, August 26, 2004 5:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences


At 03:00 PM 8/26/2004, Jason Brooks wrote:
> We are looking for any advice on the consequences other institutions 
> impose on faculty and staff when their password is cracked by IT.  For 
> instance, is it a zero-tolerance system where your password is 
> automatically reset and you must show up at the Helpdesk to have it 
> reset?  Or, is it a graduated series of consequences, a la "Three 
> Strikes and You're Out,"  e.g., disciplinary action, network 
> restrictions, etc.  Any other configurations?
>
> Anything anyone could provide would be helpful.  Trying not to reinvent

> the wheel!

Perhaps the question could be restated:

1. Are there password complexity standards at your institution? 2. How
do you test the complexity? 3. Do you enforce the standards? 4. If so,
how?

*Local* computer passwords are largely exempt from scrutiny at ISU. I am
coordinating a project that is attempting to bring minimum security
standards to student Windows systems. We've written an inspection
program which runs on student computers as part of network registration
(netreg).

Among other things, it tests for weak passwords and null passwords; a
dictionary test is used. The students are told which accounts had weak
passwords. They are asked to fix the passwords and other reported
security holes before receiving a valid IP number.

The security standards we seek to implement are still voluntary. We hope
to enforce the standards during network registration in the future. If
enforcement of standards is approved, we would like to make admittance
to the network contingent on strong passwords, current service packs and
hotfixes and AV software.


> Jason Brooks
>
> Jason Brooks
> Information Security Technician
> Longwood University
> 201 High Street
> Farmville, VA 23909
> (434) 395-2034
> mailto:brooksje () longwood edu
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion

> Group discussion list can be found at http://www.educause.edu/cg/.


Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.