Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Fri, 24 Sep 2004 11:25:10 -0700
The weird thing is that the student's editorial is quite readable! What I don't often hear in this discussion is the clear set of technical mitigations that we all should be working towards. Of course Frank's password should not be "Frank" but frankly we technologists have some work to do as well. It should be the goal of every IT environment that, at the very least: 1. EVERY system requires reasonably strong passwords to avoid ease of guessing; 2. NO system stores passwords in the clear, and NO system allows easy access to the password store (e.g. /etc/passwd)!! 3. NO system requires sending passwords in clear text over ANY communications medium; 4. EVERY system locks up an account if a password is entered incorrectly N times in succession. If legacy systems can't conform to this, replace them ASAP. Require new systems to conform. Eventually we'll all be safer and the very long running password debate will be less interesting. David Wasley University of California PS: It would be nice if there was an "Internet Good Housekeeping Seal of Approval" that declared a site conformed to at least the above. I have "accounts" at NYTimes, Amazon, etc. and have no idea, nor any way of knowing, what they do beyond https. PPS: I was at a Microsoft site a while back which asked me for a password. My browser warned me that it was not an encrypted channel. I sent a note to Microsoft and they replied "don't worry, it really is encrypted." What sort of mis-education is that?! We try to train users to care about such things and the world's techno-giant says "don't worry; trust us" !? ------ FWIW, in case you weren't bored enough to "read" the editorial, it was actually supportive of the new rules at UT: "Next week, the University will enter a new age of computer security. "Most students have been informed that Information Technology Services wants us to change our passwords. Though the requirements seem rather strict (and quite odd), new security measures such as these will only protect us from hackers and other mean, nasty folks who would like nothing better than to invade our personal lives. "Some students will complain that the list of password requirements may go altogether too far. Some of the criticisms are fair: it may be difficult to memorize an unintelligible set of numbers, letters, and "special" characters. "But the price we pay for Internet security is often rather steep and we must take it in stride. After all, we live in an era where some of our most vital information is kept online; it must stay out of the reach of cyber-terrorists!!" ----- At 11:03 AM -0500 on 9/23/04, Dan Updegrove wrote:
Colleagues, I thought you'd be amused by this "editorial," in today's Daily Texan (the student paper) in response to our new policy to require robust passwords. Dan UpdegroveViewpoint: [Please enter new password]It will likely take less time to read this editorial than it will to think of a new password for UT Direct. We'd like to help. In The Daily Texan's continuing tradition of public service, each word in this editorial meets the criteria to be a possible UT EID password. Nxet-we!k, theUn1iversity wil!lent8r -ane.wage5 ofcom-puter3 1sec+urity. M00#0ost stu$4d-ents hav:eb@en in--4med v1ae-mai! tkat7nfor-mation +T1echnology S0rvice*s wa-ntsus6 %al7tochang5e ourpa-sswor8s. 1Tho-ughthe re3uire.ments se,emra1her str;ict09 (andqu*iteodd), new&ecurity1 m@esures1susch as5-these 1wyll-onlee 4pro=tect us(fr0om 9h*cKersand 8othermean, nasT-folks1 who-1-wud li1ke>noth+ing bet+ter5tha!n 4to-Nvade our8pers-onal ))liffes0000. Sum@stu2ents 11ha-ve11 0comp)lained t5at=the ##list3of pazz.wrd4 0rekweyermen.ts may,go,a1 7step+too0far. 1.111Sumuv 0(theyr crit.icis.ms2 are4fa-ir; it8may+be 6iff-icul:t 0tomem-orize 4anunintel-ligible set0.00of 6umbers,let1ers+and "7spec-ial" cha-r--act00rs. .00Butthe prisewe($8) pay-2x2-for En-ter7net 6.2secyriT is+of=ten0 r4ather$ ste3ep(555), and+wemus0t 999take,it in-stryde06. @2Aftall, we=7=liv+in an,era+where1 sum-0of 50ourmo-st vital!1!! 1in-for-9mation is.kept75 8on1line; 0-0itmust st.ay0OUT of3there#achof cyber-ter1rorists!!! DT article -- http://www.dailytexanonline.com/news/2004/09/23/Opinion/Viewpoint.please.Enter.New.Password-728041.shtml UT EID info -- https://utdirect.utexas.edu/nlogon/eid_suite/general/ VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas edu P.O. Box 7407 http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)