Re: Password Cracking & Consequences

[Michael Mills <mmills () RKON COM>]

To take another perspective on this issue I add that in effort to create an
audit trail of users access to campus resources, for any number of reasons,
it in imperative from not only a personal liability issue, but down to the
campus's ability to enforce any kind of IT Security policy, NOONE must EVER
know anyone else's password.  Even if only to prove that a password is
insecure.  Imagine a scenario where the campus is under fire from the RIAA,
and the university passes the responsibility over to the student in
question.  If that student can prove that other people have the ability to
"crack" their password and also do so, on a regular basis, that student is
let off the hook (barring any other circumstances) and the responsibility is
placed right back on the university.  Or another scenario, a staff/faculty
member is identified to have attempted to access areas he/she does not have
access to, so the university decides to let this person go.  That person
gets a lawyer and charges that on a regular basis the IT staff "cracks"
their passwords and because of that how can it be proved 100% that that
person is the guilty party?  I wouldn't want to be part of that lawsuit.

The point is that there is NEVER an occasion that any member of the
faculty/staff, IT department or anyone else for that matter, have access to
anyone's passwords but their own. A system should be put in place that will
not allow the creation of "weak" passwords.  In the case of lost/stolen
passwords, a new "temporary" password should be set, and the account should
be set to "change password on first use".  This removes any liability on the
part of the University for knowing anyone's passwords.

With today's increased "phishing" methods of obtaining passwords you will
want to but into effect a "No one will EVER under ANY circumstances ask for
your password" policy.

Some good reading regarding these issues can be found at

http://www.sans.org/resources/policies/

and a good password policy doc can be found here

http://www.sans.org/resources/policies/Password_Policy.pdf


Michael Mills
RKON Technologies
mmills () rkon com



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Riden
Sent: Thursday, August 26, 2004 7:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences

Scott Bradner <sob () HARVARD EDU> writes:

> > > what is the threat model that leads to teh IT department cracking
passwords?
> > For one: http://www.k-otik.com/exploits/08202004.brutessh2.c.php
>
> why is this not countered by having lockout on failed login attempts?

It is, but in my case, I'm worrying about systems I don't have direct
control over, where as I can do things about people's passwords.

--
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.