Educause Security Discussion mailing list archives

Re: Passphrases v Password

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Sat, 6 Jul 2013 00:04:13 +0000

Real-world attackers do crack passwords.  For instance, the South Carolina Department of Revenue in late 2012.  In that 
incident, the attackers probably got their initial access via a phishing attack but used password cracking to gain 
access to additional systems.  Mandiant did a report on the incident:

http://docs.ismgcorp.com/files/external/MANDIANT_Public_IR_Report_Dept_of_Revenue_11202012.pdf

There have also been some high-profile incidents involving hashes stolen from websites (e.g. LinkedIn).  There is 
little point in stealing hashes if you don't intend to crack them.

In general, attackers will do what works.

I agree with moving toward two-factor authentication.  In many cases, e.g. any Windows system, it's too difficult to 
get users to pick passwords that are not practically crackable.

Steven
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Rich Graves 
[rgraves () CARLETON EDU]
Sent: Friday, July 05, 2013 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passphrases v Password

Is this driven by a specific external requirement?

Unless your current passwords are laughably bad [1], I don't think this should be a priority. Passwords are stolen by 
malware and phishing, not cracking. To protect against sniffing attacks, use later versions of signed CIFS protocols. 
I'd advise you to leave passwords alone and try to get to "2-step verification" where it matters. Use 2-factor to 
protect the highest risk assets, but the "remember this device" strategy employed by Google, Facebook, Evernote, 
Amazon, DropBox, and many banks is pretty good.

[1] Until 2006, Carleton required passwords of exactly 8 characters, with no other checking. Help desk representatives 
were instructed to set passwords to "carleton" and politely ask users to change them later. A large percentage of users 
did not.

This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the 
HelpDesk at (209) 384-6180.

Current thread:

Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password Will Froning (Jul 05)
  - Re: Passphrases v Password Joel L. Rosenblatt (Jul 05)
  - Re: Passphrases v Password Cathy Hubbs (Jul 05)
- Re: Passphrases v Password randy (Jul 05)
  - Re: Passphrases v Password SCHALIP, MICHAEL (Jul 05)
  - Re: Passphrases v Password Michael Sinatra (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Rich Graves (Jul 05)
  - Re: Passphrases v Password Will Froning (Jul 05)
    - Re: Passphrases v Password Rich Graves (Jul 05)
    - Re: Passphrases v Password Mike Osterman (Jul 05)
  - Re: Passphrases v Password Steven Alexander (Jul 05)
- Re: Passphrases v Password Cathy Hubbs (Jul 05)
  - Re: Passphrases v Password scott hollatz (Jul 05)
    - Re: Passphrases v Password Ray McClure (Jul 06)
  - Re: Passphrases v Password Tim Doty (Jul 08)
    - Re: Passphrases v Password randy (Jul 08)

(Thread continues...)