Re: Password change *recommended* -- RESULTS?

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

Multi factor...

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Williams, Charles
> Sent: Thursday, April 17, 2014 8:46 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
>
> The really difficult part is the training of people not to respond to the
> phishing attacks.  The attacks rely on our human gullibility and are becoming
> more sophisticated in their approach.  Even if we do a really good job of
> education and get the response rate down to 0.01%, that's 1 out of 10,000,
> that one response can cause havoc.
>
> I'm not saying the education is not useful or a good idea.  I am saying that
> perfect protection from phishing seems to be impossible.
>
> --Randy
>
> Charles R. Williams
> IT Consultant
> Benedictine University
> 5700 College Road
> Lisle, IL  60532
>
> 630-829-6025
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel L. Rosenblatt
> Sent: Thursday, April 17, 2014 8:32 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
>
> Hi,
>
> I agree with this - I have analyzed brute force attacks and the average attack
> tries hundreds of ID's, but only 10-15 passwords per ID (think top 10
> passwords)
>
> Spending a lot of time making really complicated passwords is misdirected
> effort in my opinion - it would be better spent on figuring out how to
> implement two factor authentication
>
> Make sure that your passwords are none of the top 100 or dictionary words
> and then try and figure out how to prevent your users from answering
> phishing emails
>
> My 2 cents
> Joel
>
>
> Joel Rosenblatt, Director Network & Computer Security Columbia
> Information Security Office (CISO) Columbia University, 612 W 115th Street,
> NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C
> 3
>
>
> On Thu, Apr 17, 2014 at 9:17 AM, Robert Meyers <REMeyers () mail wvu edu>
> wrote:
> > I'd like to take this in a slightly different direction.
> >
> > With all the conversation about the need for complex passwords, how
> > many can honestly report that their institution has suffered a
> > significant data incident because of a hack or brute force attack on
> > user passwords? How many breaches have been reported in the edu
> > community because a user password was too weak?  I'm not disputing
> > anything with these questions, just honestly seeking evidence that
> > demands a clear verdict.  What I do see daily are users WILLINGLY
> > surrendering their login credentials to phishing scams, so password
> complexity doesn't enter into the conversation.
> > I do spend the majority of my time with students teaching methods of
> > creating complex passwords as a means of elevating their overall cyber
> > security awareness.
> >
> >
> >
> > Bob Meyers
> > WVU Information Security
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Walker
> > Sent: Wednesday, April 16, 2014 4:44 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
> >
> >
> >
> > Brady,
> >
> > Very real issues you've listed about multi-factor authentication.
> > I'll mention that the MFA Cohortium
> > (https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/
> > Home), a group of 40-50 universities, is doing a work in the areas
> > you've mentioned.  Take a look; there are a number of white papers
> > available.
> > You're also welcome to participate; information for how to do that is
> > available from the wiki page linked above.
> >
> > A couple of other links you may find of interest:
> >
> > ·        The FIDO Alliance (https://fidoalliance.org/), an industry group
> > that has recently released specifications for a standard
> > authentication API for second factor and passwordless tokens.
> >
> > ·        The Multi-Context Broker (https://spaces.internet2.edu/x/BozFAg),
> > an extension to Shibboleth that facilitates the integration of MFA and
> > assurance into a SAML IdP.
> >
> >
> > Things are getting better, but they still have a ways to go.
> >
> > David
> >
> > On 04/16/2014 12:18 PM, McClenon, Brady wrote:
> >
> > Thanks, Joe.  I agree that MFA is the way to go, but with many
> > colleges depending on vendor supplied software MFA becomes more
> > difficult.  Does the service support MFA, and if so which solution?
> > SSO would make this easier, but SSO has the same set of issues.  Some
> > support CAS, some support SAML, some ADFS, etc...  It seems that until
> > SSO and MFA standards are achieved some are overwhelmed with the
> need
> > to support 2-3-4 solutions to the same problem.
> >
> >
> >
> > I follow some of your reasons outlined for password changes, and
> > again, thanks.  I will point out that the statements "Periodic
> > Password Changes Limit The Window for Brute Force Attacks" and "If you
> > do change your password, the attacker will need to restart their
> > cracking effort because cracking your old password typically won't
> > help the attacker deduce your new password" aren't entirely true.  The
> > attacker would only need to restart if your new password was one
> > he/she already tried prior to the change.  The window may not change
> > at all, and the probability that the change helped protect the password can
> be anywhere between 0-100% depending on where the
> > attacker was in his list when the password was changed.   So while there is
> > some value against brute force the value seems somewhat
> undeterminable.
> > -----Original Message-----
> >
> > From: Joe St Sauver [mailto:joe () oregon uoregon edu]
> >
> > Sent: Wednesday, April 16, 2014 10:39 AM
> >
> > To: McClenon, Brady
> >
> > Cc: security () listserv educause edu
> >
> > Subject: Re: Password change *recommended* -- RESULTS?
> >
> >
> >
> > Good morning!
> >
> >
> >
> > Brady asked:
> >
> >
> >
> > #Except in the case of an incident were passwords may have be leaked
> > or #otherwise compromised, in which case it seems it would be a
> > required #change and just not recommended, I'm curious to the thoughts
> > of those #here on why you would enforce periodic password changes on
> users.
> > I outlined a few reasons in an NWACC talk on passwords that you can
> > find at http://pages.uoregon.edu/joe/passwords/passwords.pdf (section
> > 4 talks about the password change issue)
> >
> >
> >
> > That said, the fundamental problem is that at this stage of the game,
> > plain old passwords just aren't good enough anymore -- yet we still
> > don't see ubiquitous deployment of multifactor on most campuses. Why?
> >
> >
> >
> > I attempted to discuss some of the reasons that people may have
> >
> > *historically* had, and why they may no longer be applicable, in a
> > talk I did last week in Denver at the Internet2 Global Summit; see
> > http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf
> >
> >
> >
> > If you all are not doing multifactor, did I catch the reason(s) why in
> > thos slides? If I missed a fundamental reason, I'd love to hear
> > about/understand it better.
> >
> >
> >
> > Do we all just secretly love passwords for some sort of weird cultural
> > reasons? :-;
> >
> >
> >
> > Regards,
> >
> >
> >
> > Joe