Re: Password Cracking & Consequences

[Eric Pancer <epancer () SECURITY DEPAUL EDU>]

Theresa M Rowe wrote on Fri, 2004-08-27 at 12:17:58 -0400...

> Yes, that's what I was looking for.  Your policy does not
> explicitly state the password cracking technique, but you
> have had campus discussion on the policy?
>
> For us to create an IT policy here, there's at least 4 rounds
> of different committee review and approval.  We'd have to
> explicitely state we were going to try to crack passwords, or
> the policy would not support the action.

Such is the reason your policy should be able to cover things like
this for authorized security staff (note, I didn't not say
administrative staff, but security staff).

We've talked to several people in our organization over the past few
years that are more than happy to have us doing something to protect
them. We've also talked to some that are a bit uneasy with us
putting taps in place, etc., but they understand *why* a security
group would do such a thing, and developing trust within the
community is far more key (at least for us) than developing some
iron-fisted policy.

However, YMMV.

--
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.