Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 19 Nov 2007 21:45:48 -0500
On Nov 19, 2007, at 9:06 PM, Bob Bayn wrote:
That doesn't leave me feeling like I'm just pretending to provide security by doing something easy that looks important.
Sorry -- I didn't mean to imply that anyone was avoiding the important problems. Nor was I suggesting that having strong passwords was a bad idea. The point I was trying to make is that every discussion on this topic runs into hundreds of messages with all kinds of absurdly complex rules -- and it is hardly that important. It's like the classic joke of searching for the lost keys under the streetlight because the light is better there even though you lost them across the street.
What finally prompted us to get off our "any 4 or more characters" butts was dictionary attacks that were hitting our proxy server and VPN server from Chinese IP addresses. Once past our firewall through proxy or VPN they are able to snoop our network from inside probing machines undetected, and do unappreciated things like download subscription databases from the library until the provider got suspicious of the traffic.
Well, if you are getting those kind of attacks, you should be: 1) blocking IP ranges 2) reporting it to the FBI as an official complaint 3) looking at segregating your networks to protect your high-value resources 4) getting one-time password/token systems 5) putting in stronger access control to important data etc. Investing a lot in password rules isn't solving your problem -- it is only masking it. Now, instead of them hacking into 100 accounts, they may only be getting into 2. But that means they are still getting in! You need to address the problem, and the problem isn't fundamentally one of weak passwords. If people are constantly looting my house by picking the lock, climbing through the windows, and cutting through the walls, I am not going to solve it by requiring that I put in a new door lock every month! As a field, we spend waaaaay too much time and resources on palliative measures rather than fundamental cures. In most cases, fiddling with password rules is a prime example.
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
(Thread continues...)