Re: Student paper "editorial" on robust passwords

["David L. Wasley" <david.wasley () UCOP EDU>]

The weird thing is that the student's editorial is quite readable!

What I don't often hear in this discussion is the clear set of
technical mitigations that we all should be working towards.  Of
course Frank's password should not be "Frank" but frankly we
technologists have some work to do as well.

It should be the goal of every IT environment that, at the very least:

       1. EVERY system requires reasonably strong passwords to avoid
          ease of guessing;

       2. NO system stores passwords in the clear, and NO system allows easy
          access to the password store (e.g. /etc/passwd)!!

       3. NO system requires sending passwords in clear text over ANY
          communications medium;

       4. EVERY system locks up an account if a password is entered
          incorrectly N times in succession.

If legacy systems can't conform to this, replace them ASAP.  Require
new systems to conform.  Eventually we'll all be safer and the very
long running password debate will be less interesting.

       David Wasley
       University of California


PS: It would be nice if there was an "Internet Good Housekeeping Seal
of Approval" that declared a site conformed to at least the above.  I
have "accounts" at NYTimes, Amazon, etc. and have no idea, nor any
way of knowing, what they do beyond https.


PPS: I was at a Microsoft site a while back which asked me for a
password.  My browser warned me that it was not an encrypted channel.
I sent a note to Microsoft and they replied "don't worry, it really
is encrypted."  What sort of mis-education is that?!  We try to train
users to care about such things and the world's techno-giant says
"don't worry; trust us" !?


------

FWIW, in case you weren't bored enough to "read" the editorial, it
was actually supportive of the new rules at UT:



"Next week, the University will enter a new age of computer security.

"Most students have been informed that Information Technology
Services wants us to change our passwords.  Though the requirements
seem rather strict (and quite odd), new security measures such as
these will only protect us from hackers and other mean, nasty folks
who would like nothing better than to invade our personal lives.

"Some students will complain that the list of password requirements
may go altogether too far.  Some of the criticisms are fair: it may
be difficult to memorize an unintelligible set of numbers, letters,
and "special" characters.

"But the price we pay for Internet security is often rather steep and
we must take it in stride.  After all, we live in an era where some
of our most vital information is kept online; it must stay out of the
reach of cyber-terrorists!!"

-----
At 11:03 AM -0500 on 9/23/04, Dan Updegrove wrote:

> Colleagues,
>
> I thought you'd be amused by this "editorial," in today's Daily
> Texan (the student paper) in response to our new policy to require
> robust passwords.
>
> Dan Updegrove
>
> > Viewpoint: [Please enter new password]
>
>
> It will likely take less time to read this editorial than it will to
> think of a new password for UT Direct. We'd like to help. In The
> Daily Texan's continuing tradition of public service, each word in
> this editorial meets the criteria to be a possible UT EID password.
>
>
> Nxet-we!k, theUn1iversity wil!lent8r -ane.wage5 ofcom-puter3 1sec+urity.
>
> M00#0ost stu$4d-ents hav:eb@en in--4med v1ae-mai! tkat7nfor-mation
> +T1echnology S0rvice*s wa-ntsus6 %al7tochang5e ourpa-sswor8s.
> 1Tho-ughthe re3uire.ments se,emra1her str;ict09 (andqu*iteodd),
> new&ecurity1 m@esures1susch as5-these 1wyll-onlee 4pro=tect us(fr0om
> 9h*cKersand 8othermean, nasT-folks1 who-1-wud li1ke>noth+ing
> bet+ter5tha!n 4to-Nvade our8pers-onal ))liffes0000.
>
> Sum@stu2ents 11ha-ve11 0comp)lained t5at=the ##list3of pazz.wrd4
> 0rekweyermen.ts may,go,a1 7step+too0far. 1.111Sumuv 0(theyr
> crit.icis.ms2 are4fa-ir; it8may+be 6iff-icul:t 0tomem-orize
> 4anunintel-ligible set0.00of 6umbers,let1ers+and "7spec-ial"
> cha-r--act00rs.
>
> .00Butthe prisewe($8) pay-2x2-for En-ter7net 6.2secyriT is+of=ten0
> r4ather$ ste3ep(555), and+wemus0t 999take,it in-stryde06. @2Aftall,
> we=7=liv+in an,era+where1 sum-0of 50ourmo-st vital!1!!
> 1in-for-9mation is.kept75 8on1line; 0-0itmust st.ay0OUT
> of3there#achof cyber-ter1rorists!!!
>
>
>
> DT article --
> http://www.dailytexanonline.com/news/2004/09/23/Opinion/Viewpoint.please.Enter.New.Password-728041.shtml
>
> UT EID info -- https://utdirect.utexas.edu/nlogon/eid_suite/general/
>
> VP  for Information Technology         Phone (512) 232-9610
> The University of Texas at Austin      Fax (512) 232-9607
> FAC 248 (Mail code: G9800)             d.updegrove () its utexas edu
> P.O. Box 7407                                  http://wnt.utexas.edu/~danu/
> Austin, TX 78713-7407 ********** Participation and subscription
> information for this EDUCAUSE Discussion Group discussion list can
> be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.