Re: Passwords & Passphrases

["Peters, Kevin" <Kevin.Peters () OLC STATE OH US>]

Thank you, so very much!

Kp

----- Original Message -----
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Mon Nov 19 20:50:52 2007
Subject: Re: [SECURITY] Passwords & Passphrases


On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:

        Here is my question - does anyone have the data on how many times a hack (attack) has occurred associated to 
breaking the "launch codes" from outside of the organization?  The last information I gleaned from the FBI reports 
(several years ago) indicated that 70 percent of hackings (attacks) were internal.
        
        My most recent experience with intrusions has had nothing to do with a compromised password, rather an exploit 
of some vunerability in the OS, database, or application. 
        

I track these things, and I cannot recall the last time I saw any report of an incident caused by a guessed password.  
Most common incidents are phishing, trojans, snooping, physical theft of sensitive media, and remote exploitation of 
bugs.

People devote huge amounts of effort to passwords because it is one of the few things they think they can control.  

Picking stronger passwords won't stop phishing.  It won't stop users downloading trojans.  It won't stop capture of 
sensitive transmissions.   It won't bring back a stolen laptop (although if the laptop has proper encryption it *might* 
protect the data).   And passwords won't ensure that patches are in place but flaws aren't.

Creating and forcing strong password policies is akin to being the bosun ensuring that everyone on the Titanic has 
locked their staterooms before they abandon ship.  It doesn't stop the ship from sinking or save any lives, but it sure 
does make you look like you're doing something important.....