Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Tue, 20 Nov 2007 11:07:43 -0600
At 07:50 PM 11/19/2007, Gene Spafford put fingers to keyboard and wrote:
On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:Here is my question - does anyone have the data on how many times a hack (attack) has occurred associated to breaking the "launch codes" from outside of the organization? The last information I gleaned from the FBI reports (several years ago) indicated that 70 percent of hackings (attacks) were internal. My most recent experience with intrusions has had nothing to do with a compromised password, rather an exploit of some vunerability in the OS, database, or application.I track these things, and I cannot recall the last time I saw any report of an incident caused by a guessed password. Most common incidents are phishing, trojans, snooping, physical theft of sensitive media, and remote exploitation of bugs.
FWIW, we've had our share of incidents that appear to have been caused by brute force attacks on passwords. Likely this was done via ssh. We have also seen our own hosts trying to brute force passwords via ssh. It's also somewhat common in viruses to have a built-in password list as an attack vector. Depending on your password infrastructure, either of these could lead to a more serious incident.
People devote huge amounts of effort to passwords because it is one of the few things they think they can control.
Strong passwords are simply one part of an effective security plan. IMO, which I totally concede carries nowhere near the weight of Gene's, it would be a mistake to take other practical security steps, and ignore the password's potential weakness.
Picking stronger passwords won't stop phishing. It won't stop users downloading trojans. It won't stop capture of sensitive transmissions. It won't bring back a stolen laptop (although if the laptop has proper encryption it *might* protect the data). And passwords won't ensure that patches are in place but flaws aren't.
See the above. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
(Thread continues...)