Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Cracking & Consequences

From: Michael Mills <mmills () RKON COM>
Date: Fri, 27 Aug 2004 10:53:42 -0500
Actually is does matter.  If the IT staff "Cracks" users accounts then the
IT staff can log on as that user and do as they wish (any department for
that matter).  However if that same IT person changes that users password
and then logs on as that person, an audit trail is created.  Even if that IT
user would delete that audit trail, that deletion would show up in the audit
trail.  So again, I stress the point that under no circumstances should
ANYONE know ANYONE else's password, weather it is by "cracking" or by asking
someone their password.



Michael Mills
mmills () rkon com


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Azoff
Sent: Friday, August 27, 2004 10:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences

Michael Mills wrote:


Or another scenario, a staff/faculty
member is identified to have attempted to access areas he/she does not have
access to, so the university decides to let this person go.  That person
gets a lawyer and charges that on a regular basis the IT staff "cracks"
their passwords and because of that how can it be proved 100% that that
person is the guilty party?  I wouldn't want to be part of that lawsuit.





I think you are missing the point.  The IT staff, being that they *are*
the IT staff would already have access to anyones account.  A weak
password audit has nothing to do with anyone having access to their
account.  The whole point is to *prevent* unauthorized access.
Attempting to crack a users password does nothing but ensure that the
password is secure.

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: