Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Brian Eckman <eckman () UMN EDU>
Date: Sun, 29 Aug 2004 11:33:45 -0500
Scott Bradner said:
far better to force good passwords when the user sets them
Ken Shaurette said:
"make sure that users can't ever select weak passwords"
In some environments, this is possible, but not in all. The last I checked, many versions of Netware had a minimum character limit, but no way of making sure they were difficult to guess. Windows has its complexity requirements, but IIRC, Passw0rd is a "complex" 8 character password. (OK, so buy a third party solution that resolves this. That works for me.) (Note: I realize below I am advocating password "guessing" more than "cracking", but the two words are often interchanged.) That's all fine (auditing passwords when they are set) in a centralized environment, where the folks enforcing the policies also admin the systems. In an environment as large and complex as ours, we have a number of folks doing network security and policy enforcement that aren't the system admins. There are thousands of Windows machines that can be logged into over the network, hundreds of them are Windows servers administered by literally hundreds of different people in different departments with different level of knowledge. We have policies in place regarding passwords and server security. However, the only way for us to determine if those policies are being enforced are to: 1. Wait for the boxes to become compromised, hope we find them, then hope we can determine how the attackers got in. or 2. Actively seek boxes that will easily become compromised, and hopefully beat the bad guys to them, and get them better secured. Also, we are one of the largest research Universities in the US, and therefore get a number of Windows computers as a part of grants. The researchers, who typically know little to nothing about Windows security, sometimes set these machines up on the network without consulting their department's technical staff, and begin using them with little to no regard to patching or passwords. While we can determine if their patch levels are out of date with tools such as Nessus, without network based password guessing, we can only sit and wait to see how the passwords stand up. Often the systems come fairly well patched from the manufacturer (most recent SP for example), so they may appear "secure" to Nessus, yet be wide open to a password guessing attack. (Note that we did have a team of people charged with investigating a big Active Directory forest, and it was determined after a year or so that it just wasn't doable in our environment. There is an Active Directory root, but most departments have chosen not to join it for one reason or another.) I do agree that the password auditor should not be able to see the results of the password auditing. The reality is, people have more and more different accounts, and many people do use the same password across multiple systems. I sure do not want to get caught holding someone's online banking password (discovered because it's the same as their computer password), especially if they become a victim of identity theft. Brian -- Brian Eckman Security Analyst University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)