Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 19 Nov 2007 21:45:48 -0500

On Nov 19, 2007, at 9:06 PM, Bob Bayn wrote:


That doesn't leave me feeling like I'm just pretending to
provide security by doing something easy that looks important.


Sorry -- I didn't mean to imply that anyone was avoiding the important
problems.  Nor was I suggesting that having strong passwords was a bad
idea.

The point I was trying to make is that every discussion on this topic
runs into hundreds of messages with all kinds of absurdly complex
rules -- and it is hardly that important.  It's like the classic joke
of searching for the lost keys under the streetlight because the light
is better there even though you lost them across the street.

What finally prompted us to get off our "any 4 or more characters"
butts was dictionary attacks that were hitting our proxy server
and VPN server from Chinese IP addresses.  Once past our firewall
through proxy or VPN they are able to snoop our network from inside
probing machines undetected,  and do unappreciated things like
download subscription databases from the library until the provider
got suspicious of the traffic.


Well, if you are getting those kind of attacks, you should be:
1) blocking IP ranges
2) reporting it to the FBI as an official complaint
3) looking at segregating your networks to protect your high-value
resources
4) getting one-time password/token systems
5) putting in stronger access control to important data

etc.

Investing a lot in password rules isn't solving your problem -- it is
only masking it.   Now, instead of them hacking into 100 accounts,
they may only be getting into 2.  But that means they are still
getting in!   You need to address the problem, and the problem isn't
fundamentally one of weak passwords.

If people are constantly looting my house by picking the lock,
climbing through the windows, and cutting through the walls, I am not
going to solve it by requiring that I put in a new door lock every
month!


As a field, we spend waaaaay too much time and resources on palliative
measures rather than fundamental cures.  In most cases, fiddling with
password rules is a prime example.

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)

(Thread continues...)