Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Michael Mills <mmills () RKON COM>
Date: Fri, 27 Aug 2004 10:53:42 -0500
Actually is does matter. If the IT staff "Cracks" users accounts then the IT staff can log on as that user and do as they wish (any department for that matter). However if that same IT person changes that users password and then logs on as that person, an audit trail is created. Even if that IT user would delete that audit trail, that deletion would show up in the audit trail. So again, I stress the point that under no circumstances should ANYONE know ANYONE else's password, weather it is by "cracking" or by asking someone their password. Michael Mills mmills () rkon com -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Azoff Sent: Friday, August 27, 2004 10:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Cracking & Consequences Michael Mills wrote:
Or another scenario, a staff/faculty member is identified to have attempted to access areas he/she does not have access to, so the university decides to let this person go. That person gets a lawyer and charges that on a regular basis the IT staff "cracks" their passwords and because of that how can it be proved 100% that that person is the guilty party? I wouldn't want to be part of that lawsuit.
I think you are missing the point. The IT staff, being that they *are* the IT staff would already have access to anyones account. A weak password audit has nothing to do with anyone having access to their account. The whole point is to *prevent* unauthorized access. Attempting to crack a users password does nothing but ensure that the password is secure. -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Scott Bradner (Aug 26)
- Re: Password Cracking & Consequences James Riden (Aug 26)
- Re: Password Cracking & Consequences Michael Mills (Aug 26)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Eric Pancer (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
(Thread continues...)