Re: Student paper "editorial" on robust passwords

[Kevin Shalla <kshalla () UIC EDU>]

Unfortunately, applications are being developed even today which don't have
any password requirements, and don't have connections to other types of
shared authentication schemes (like LDAP, Kerberos).  These same
applications store passwords in clear text, and have no mechanism for
locking after N failed login attempts.  We just bought a system (to take
over for an in-house developed application which is being decommissioned
soon) that is exactly as I describe above, and the user won't be talked out
of it.  He needs his work done, and no other application does what he needs
(besides the one we're disposing - for financial reasons).

At 01:25 PM 9/24/2004, David Wasley wrote:
> What I don't often hear in this discussion is the clear set of
> technical mitigations that we all should be working towards.  Of
> course Frank's password should not be "Frank" but frankly we
> technologists have some work to do as well.
>
> It should be the goal of every IT environment that, at the very least:
>
>        1. EVERY system requires reasonably strong passwords to avoid
>           ease of guessing;
>
>        2. NO system stores passwords in the clear, and NO system allows easy
>           access to the password store (e.g. /etc/passwd)!!
>
>        3. NO system requires sending passwords in clear text over ANY
>           communications medium;
>
>        4. EVERY system locks up an account if a password is entered
>           incorrectly N times in succession.
>
> If legacy systems can't conform to this, replace them ASAP.  Require
> new systems to conform.  Eventually we'll all be safer and the very
> long running password debate will be less interesting.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.