Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Tue, 20 Nov 2007 11:28:19 -0700
Peter, I just attended several training and presentations put on through Infragard and FBI. I had a chance to speak with a team lead that investigates hacks into highly secure systems, including stock trading houses. There is a great deal of data flowing around on whether hacking is mostly an internal pr external threat, but the problem is that much of it is anecdotal. The gentleman that I spoke with validated what my our own research via surveys and face-to-face conversations have revealed: a very large percentage of the results of investigations into hacks are kept highly confidential. Having said that, my own work and observations point to intentional internal threats and unintentional internal threats (social engineering, password on a sticky stuck to monitors, etc.) as being so significant that all security programs must take them into account. Thus, in engineering a solution, it is critical to classify, segregate and monitor traffic, data, etc., define baselines and then compare results against those baselines. These programs must be able to consider attacks from outsiders using their own systems and outsiders using compromised systems such as target organization members' computers and mobile devices. They must also consider internal attacks from internal organization members, including consultants and contractors. Finally, don't forget the growing numbers of external repair and support personnel with internal access that maintain systems (routers, switches, servers, etc.) and install a growing number of networked resources such as copiers and printers. In summary, it is a complex picture that is highly dynamic, so there is no end point, just an on-going journey for us in the security space. Regards, Ozzie Paez SSE/CISSP SAIC 303-332-5363 -----Original Message----- From: Peters, Kevin [mailto:Kevin.Peters () OLC STATE OH US] Sent: Monday, November 19, 2007 6:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases Let's see... The number one password is password. The number two password is no password. In War Games the backdoor was the son's name (what was that name?) In Spaceballs Mel Brooks luggage password was 12345. The number one place to save a password is on a post-it note placed "somewhere" within inches of the user's PC. (We all have our favorites - I like under my mouse pad) My team still believes that the best password is ********* That is the password they see every time I log into the network when using a data projector, and you know they are still trying to figure that one out. Here is my question - does anyone have the data on how many times a hack (attack) has occurred associated to breaking the "launch codes" from outside of the organization? The last information I gleaned from the FBI reports (several years ago) indicated that 70 percent of hackings (attacks) were internal. My most recent experience with intrusions has had nothing to do with a compromised password, rather an exploit of some vunerability in the OS, database, or application. In the end it still comes down to social engineering. The harder we make it for our users to log onto the business network, the more our users will resist. We need to be exploring new technology in this area. I recently read an article on password systems. The basis of the article was that the best password was the human face. When the user would log on three grids would be presented with nine human faces on each grid, presented randomly within each grid. The user would select one face from each grid. Okay, hack that one. (I use Rocky and Bullwinkle and Boris) What is the question again? I have forgotten... Oh yea, passwords! By the time we figure out a standard, someone will have moved the cheese and the monkey. The face of the future will be a face, when it comes to passwords. Kp ----- Original Message ----- From: Harold Winshel <winshel () CAMDEN RUTGERS EDU> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Mon Nov 19 17:56:03 2007 Subject: Re: [SECURITY] Passwords & Passphrases Are you saying a password cracking program is more likely to guess the letter "a" repeated 15 times or that an individual user trying to break in to a machine will more likely try that? Harold At 05:37 PM 11/19/2007, Alex wrote:
Harold: I think there is confusion betweeen pure mathematical probability and probability based on historical attacks/human created passwords. An attacker is more likely to try repetitive or dictionary-based/hybrid attacks over a network (or against a hash) than random passwords. Additionally, people are more likely to use certain characters than others when creating passwords (e.g. wheel of fortune). Therefore, user created passwords are not random. So, given that we know attackers typically use 'easy' passwords, the character 'a' repeated 15 times is more likely to be cracked than a 15 character passphrase. Likely, so is a 15 character passphrase when compared to a truly randomly generated password of 15 characters from the same character set. Hence, we have password complexity rules as those in Microsoft Server 2003 and linux. -Alex -----Original Message----- From: Harold Winshel [ mailto:winshel () CAMDEN RUTGERS EDU
<mailto:winshel () CAMDEN RUTGERS EDU> ]
Sent: Monday, November 19, 2007 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases I may have missed some of the earlier emails but I thought that a 15 character passphrase is as secure as a 15 character random password. For that matter, I thought the user could use the letter "a" fifteen times and it could be as secure as a random 15-character password or a 15-character password such as '"I don't like the Red Sox" (I think that's more than 15, though). Harold At 04:44 PM 11/19/2007, Roger Safian wrote:At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard and wrote:move beyond 8 characters with mixed case and special characters. I would like to see us require a 15 character pass phrase which, in my view, is more secure (even without complexity), and both easier to type and remember.Personally I'd love to see a password minimum length of 15 characters. My fear is that a password database get's compromised, and the weak passwords are cracked and bad things take place. I think that 15 characters is a long enough string to make brute force cracking time consuming enough to allow us to change the passwords in a reasonable time-frame. I think the reality is that 15 characters will be too much for the community. We'll see. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key
servers.
(847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)