Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 24 Sep 2004 13:43:55 -0500
Unfortunately, applications are being developed even today which don't have any password requirements, and don't have connections to other types of shared authentication schemes (like LDAP, Kerberos). These same applications store passwords in clear text, and have no mechanism for locking after N failed login attempts. We just bought a system (to take over for an in-house developed application which is being decommissioned soon) that is exactly as I describe above, and the user won't be talked out of it. He needs his work done, and no other application does what he needs (besides the one we're disposing - for financial reasons). At 01:25 PM 9/24/2004, David Wasley wrote:
What I don't often hear in this discussion is the clear set of technical mitigations that we all should be working towards. Of course Frank's password should not be "Frank" but frankly we technologists have some work to do as well. It should be the goal of every IT environment that, at the very least: 1. EVERY system requires reasonably strong passwords to avoid ease of guessing; 2. NO system stores passwords in the clear, and NO system allows easy access to the password store (e.g. /etc/passwd)!! 3. NO system requires sending passwords in clear text over ANY communications medium; 4. EVERY system locks up an account if a password is entered incorrectly N times in succession. If legacy systems can't conform to this, replace them ASAP. Require new systems to conform. Eventually we'll all be safer and the very long running password debate will be less interesting.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)