Educause Security Discussion mailing list archives

Re: Password Cracking & Consequences

From: Ron Parker <rparker () BRAZOSPORT EDU>
Date: Mon, 30 Aug 2004 08:40:34 -0500

On Fri, 27 Aug 2004, Michael Mills wrote:

Justin,

You make very valid points these options are available and they are also
auditable.

To not lose my main point, IT staff knowingly cracking passwords is not a
good practice.  It is also not part of any recommended "Best Practices".

If there is a way to lock something up, then there is a way to unlock it.
Its just how hard you make the unlocking process that counts.



Michael Mills

It may or may not be on a best practices list but the general technique of
applying the same techniques that an attacker would use in order to test
the security of a system is a very old technique. I can guarantee that us
folks out here in the IT trenches have been using these techniques for as
long as Unix has had a password file accessible via the Internet.

To me, this is very similar to our internal auditor examining our
accounting systems. This person has tremendous power and they snoop into
everything. No one, other than our external auditors, has as much power to
cause trouble. I'm sure they could hide things from even the external
auditors if they really wanted to. At some point, you have to trust the
folks who are guarding the gold or you can't get anything done. At our
place, this kind of security testing is only done by me and my most senior
staff, oh, and whatever hacker is currently penetrating our network
despite our best efforts.

I've seen this topic debated ad nauseum on non-higher ed discussion groups
over the years. I remember the consensus being that this was just another
tool in the security toolkit. It may not be appropriate in every situation
but it has helped us more than once.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480 FAX: (979) 230-3111
http://www.brazosport.edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)