Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Cracking & Consequences

From: Cal Frye <cjf () CALFRYE COM>
Date: Sat, 28 Aug 2004 14:42:19 -0400
Gary Flynn wrote:


Perhaps if we had initiated this discussion with the
term "password strength testing" rather than
"password cracking" it may have been received differently.
Network vulnerability scanners include password
strength testing along with their other tests. Those tests
too, could be viewed as cracking tools rather than
vulnerability tests.


I still see a distinction between "strength testing" that does NOT reveal the
password under test, and "cracking" that returns a list that could be used by
the system administrator. The point was made that the legal case can be weakened
for all sorts of excused, but I never want to be one of those myself.

--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com

Footnote: Not to pick on you Gary, but you make some good points I want to
elaborate on...

Gary Flynn wrote:
> Michael Mills wrote:
>
>> Even if that IT user would delete that audit trail, that deletion
>> would show up in the audit trail.
>
> That may be the intention but I don't know of
> too many commercial operating systems and
> applications that can protect an audit trail
> from a privileged user.

Netware does a pretty good job, if you install the full auditing package.
The administrator winds up with no rights to the audit trail, including explicit
denial of access rights.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: