Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Tue, 20 Nov 2007 09:27:20 -0700
On Nov 19, 2007, at 9:06 PM, Bob Bayn wrote:That doesn't leave me feeling like I'm just pretending to provide security by doing something easy that looks important.
Gene Spafford replied from Purdue:
Sorry -- I didn't mean to imply that anyone was avoiding the important problems. Nor was I suggesting that having strong passwords was a bad idea.
In the light of day, I recognize that. No offense taken.
The point I was trying to make is that every discussion on this topic runs into hundreds of messages with all kinds of absurdly complex rules -- and it is hardly that important. It's like the classic joke of searching for the lost keys under the streetlight because the light is better there even though you lost them across the street.
I was thinking of that old joke, too. In fact, I find it to be a handy comparison in many situations these days.
What finally prompted us to get off our "any 4 or more characters" butts was dictionary attacks that were hitting our proxy server and VPN server from Chinese IP addresses. Once past our firewall through proxy or VPN they are able to snoop our network from inside probing machines undetected, and do unappreciated things like download subscription databases from the library until the provider got suspicious of the traffic.
Well, if you are getting those kind of attacks, you should be: 1) blocking IP ranges
Except that we have distance ed relations with the same institutions in China where many of these attacks seem to originate. Meanwhile, we do block lots of IP ranges for a variety of apparent offenses.
2) reporting it to the FBI as an official complaint
all of our intrusion analyses is shared with the SLC regional office on a regular basis.
3) looking at segregating your networks to protect your high-value resources 4) getting one-time password/token systems 5) putting in stronger access control to important data etc. Investing a lot in password rules isn't solving your problem -- it is only masking it. Now, instead of them hacking into 100 accounts, they may only be getting into 2. But that means they are still getting in! You need to address the problem, and the problem isn't fundamentally one of weak passwords. If people are constantly looting my house by picking the lock, climbing through the windows, and cutting through the walls, I am not going to solve it by requiring that I put in a new door lock every month! As a field, we spend waaaaay too much time and resources on palliative measures rather than fundamental cures. In most cases, fiddling with password rules is a prime example.
Agreed, that's why I'm unmoved by all the variety of rules and expirations that we are seeing in the replies here. We've picked a rule set and an expiration limit to implement and we're turning our attention back to the more general, and more productive issues of vulnerability testing and intrusion detection (and the still frustrating issues of access policy approvals).
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
(Thread continues...)