Re: Password change *recommended* -- RESULTS?

["Williams, Charles" <CWilliams () BEN EDU>]

The really difficult part is the training of people not to respond to the phishing attacks.  The attacks rely on our 
human gullibility and are becoming more sophisticated in their approach.  Even if we do a really good job of education 
and get the response rate down to 0.01%, that's 1 out of 10,000, that one response can cause havoc.

I'm not saying the education is not useful or a good idea.  I am saying that perfect protection from phishing seems to 
be impossible.

--Randy

Charles R. Williams 
IT Consultant 
Benedictine University 
5700 College Road 
Lisle, IL  60532

630-829-6025

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel L. 
Rosenblatt
Sent: Thursday, April 17, 2014 8:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

Hi,

I agree with this - I have analyzed brute force attacks and the average attack tries hundreds of ID's, but only 10-15 
passwords per ID (think top 10 passwords)

Spending a lot of time making really complicated passwords is misdirected effort in my opinion - it would be better 
spent on figuring out how to implement two factor authentication

Make sure that your passwords are none of the top 100 or dictionary words and then try and figure out how to prevent 
your users from answering phishing emails

My 2 cents
Joel


Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 
612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Thu, Apr 17, 2014 at 9:17 AM, Robert Meyers <REMeyers () mail wvu edu> wrote:
> I'd like to take this in a slightly different direction.
>
> With all the conversation about the need for complex passwords, how 
> many can honestly report that their institution has suffered a 
> significant data incident because of a hack or brute force attack on 
> user passwords? How many breaches have been reported in the edu 
> community because a user password was too weak?  I'm not disputing 
> anything with these questions, just honestly seeking evidence that 
> demands a clear verdict.  What I do see daily are users WILLINGLY 
> surrendering their login credentials to phishing scams, so password complexity doesn't enter into the conversation.
>
>
>
> I do spend the majority of my time with students teaching methods of 
> creating complex passwords as a means of elevating their overall cyber 
> security awareness.
>
>
>
> Bob Meyers
> WVU Information Security
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Walker
> Sent: Wednesday, April 16, 2014 4:44 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
>
>
>
> Brady,
>
> Very real issues you've listed about multi-factor authentication.  
> I'll mention that the MFA Cohortium 
> (https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/
> Home), a group of 40-50 universities, is doing a work in the areas 
> you've mentioned.  Take a look; there are a number of white papers 
> available.
> You're also welcome to participate; information for how to do that is 
> available from the wiki page linked above.
>
> A couple of other links you may find of interest:
>
> ·        The FIDO Alliance (https://fidoalliance.org/), an industry group
> that has recently released specifications for a standard 
> authentication API for second factor and passwordless tokens.
>
> ·        The Multi-Context Broker (https://spaces.internet2.edu/x/BozFAg),
> an extension to Shibboleth that facilitates the integration of MFA and 
> assurance into a SAML IdP.
>
>
> Things are getting better, but they still have a ways to go.
>
> David
>
> On 04/16/2014 12:18 PM, McClenon, Brady wrote:
>
> Thanks, Joe.  I agree that MFA is the way to go, but with many 
> colleges depending on vendor supplied software MFA becomes more 
> difficult.  Does the service support MFA, and if so which solution?  
> SSO would make this easier, but SSO has the same set of issues.  Some 
> support CAS, some support SAML, some ADFS, etc...  It seems that until 
> SSO and MFA standards are achieved some are overwhelmed with the need 
> to support 2-3-4 solutions to the same problem.
>
>
>
> I follow some of your reasons outlined for password changes, and 
> again, thanks.  I will point out that the statements "Periodic 
> Password Changes Limit The Window for Brute Force Attacks" and "If you 
> do change your password, the attacker will need to restart their 
> cracking effort because cracking your old password typically won't 
> help the attacker deduce your new password" aren't entirely true.  The 
> attacker would only need to restart if your new password was one 
> he/she already tried prior to the change.  The window may not change 
> at all, and the probability that the change helped protect the password can be anywhere between 0-100% depending on 
> where the
> attacker was in his list when the password was changed.   So while there is
> some value against brute force the value seems somewhat undeterminable.
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: Joe St Sauver [mailto:joe () oregon uoregon edu]
>
> Sent: Wednesday, April 16, 2014 10:39 AM
>
> To: McClenon, Brady
>
> Cc: security () listserv educause edu
>
> Subject: Re: Password change *recommended* -- RESULTS?
>
>
>
> Good morning!
>
>
>
> Brady asked:
>
>
>
> #Except in the case of an incident were passwords may have be leaked 
> or #otherwise compromised, in which case it seems it would be a 
> required #change and just not recommended, I'm curious to the thoughts 
> of those #here on why you would enforce periodic password changes on users.
>
>
>
> I outlined a few reasons in an NWACC talk on passwords that you can 
> find at http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 
> 4 talks about the password change issue)
>
>
>
> That said, the fundamental problem is that at this stage of the game, 
> plain old passwords just aren't good enough anymore -- yet we still 
> don't see ubiquitous deployment of multifactor on most campuses. Why?
>
>
>
> I attempted to discuss some of the reasons that people may have
>
> *historically* had, and why they may no longer be applicable, in a 
> talk I did last week in Denver at the Internet2 Global Summit; see 
> http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf
>
>
>
> If you all are not doing multifactor, did I catch the reason(s) why in 
> thos slides? If I missed a fundamental reason, I'd love to hear 
> about/understand it better.
>
>
>
> Do we all just secretly love passwords for some sort of weird cultural 
> reasons? :-;
>
>
>
> Regards,
>
>
>
> Joe