Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 27 Aug 2004 15:09:21 -0400
Scott Bradner wrote:
Not with compromised desktops and phishing attacks around.so changing forcing a passwd change reduces the window of vulnerability so if an attack lags the interception of the password by a long time changing the password helps - but if the attack comes soon after the compromise changing the passwd does nothing useful
True, but it puts a limit on the amount of time an account can remain compromised. As you suggest, not all account compromises are leveraged immediately. Also, the things the account is used for may not draw attention for a long time. I'd hazard a guess that the compromises we should be most worried about fit those categories (i.e. the "sleeper" compromises). In the meantime, and depending upon how well the users' habits are known or can be defined, login logs can be monitored for location and time aberrations. A login from Spain while the account holder is sitting across the hall is a definite tip that something is wrong. :) Are you saying passwords should not be changed periodically? I was once a proponent that: a) a strong password b) on a system with anti-guessing limits and good monitoring c) using an application that encrypted the password on the wire did not need to be changed very often as long as the password was protected. I've seen enough compromised desktops and accounts over the past year that I've changed my mind about the feasibility of a typical user being able to protect their password. I guess the password changing policies, though, depend upon on the level of risk that a compromised user account represents. There might be some disagreement over that. :) -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)