Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Ron Parker <rparker () BRAZOSPORT EDU>
Date: Mon, 30 Aug 2004 08:40:34 -0500
On Fri, 27 Aug 2004, Michael Mills wrote:
Justin, You make very valid points these options are available and they are also auditable. To not lose my main point, IT staff knowingly cracking passwords is not a good practice. It is also not part of any recommended "Best Practices". If there is a way to lock something up, then there is a way to unlock it. Its just how hard you make the unlocking process that counts. Michael Mills
It may or may not be on a best practices list but the general technique of applying the same techniques that an attacker would use in order to test the security of a system is a very old technique. I can guarantee that us folks out here in the IT trenches have been using these techniques for as long as Unix has had a password file accessible via the Internet. To me, this is very similar to our internal auditor examining our accounting systems. This person has tremendous power and they snoop into everything. No one, other than our external auditors, has as much power to cause trouble. I'm sure they could hide things from even the external auditors if they really wanted to. At some point, you have to trust the folks who are guarding the gold or you can't get anything done. At our place, this kind of security testing is only done by me and my most senior staff, oh, and whatever hacker is currently penetrating our network despite our best efforts. I've seen this topic debated ad nauseum on non-higher ed discussion groups over the years. I remember the consensus being that this was just another tool in the security toolkit. It may not be appropriate in every situation but it has helped us more than once. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)