Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Tue, 20 Nov 2007 11:07:43 -0600

At 07:50 PM 11/19/2007, Gene Spafford put fingers to keyboard and wrote:

On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:


Here is my question - does anyone have the data on how many times a hack (attack) has occurred associated to breaking 
the "launch codes" from outside of the organization?  The last information I gleaned from the FBI reports (several 
years ago) indicated that 70 percent of hackings (attacks) were internal.

My most recent experience with intrusions has had nothing to do with a compromised password, rather an exploit of 
some vunerability in the OS, database, or application.

I track these things, and I cannot recall the last time I saw any report of an incident caused by a guessed password.  
Most common incidents are phishing, trojans, snooping, physical theft of sensitive media, and remote exploitation of 
bugs.


FWIW, we've had our share of incidents that appear to have been caused by brute
force attacks on passwords.  Likely this was done via ssh.  We have also seen
our own hosts trying to brute force passwords via ssh.

It's also somewhat common in viruses to have a built-in password list
as an attack vector.

Depending on your password infrastructure, either of these could lead
to a more serious incident.

People devote huge amounts of effort to passwords because it is one of the few things they think they can control.


Strong passwords are simply one part of an effective security plan.
IMO, which I totally concede carries nowhere near the weight of
Gene's, it would be a mistake to take other practical security
steps, and ignore the password's potential weakness.

Picking stronger passwords won't stop phishing.  It won't stop users downloading trojans.  It won't stop capture of 
sensitive transmissions.   It won't bring back a stolen laptop (although if the laptop has proper encryption it 
*might* protect the data).   And passwords won't ensure that patches are in place but flaws aren't.


See the above.




--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)

(Thread continues...)