Educause Security Discussion mailing list archives
Re: Security Awareness Programs
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Wed, 2 Apr 2014 21:44:08 -0400
On Apr 2, 2014, at 5:23 PM, Shane Williams <shanew () ISCHOOL UTEXAS EDU> wrote:
I've recently had this discussion with our faculty, and this was the point I kept making, all the while referring to the "mass password exposure" of the week. Unfortunately, almost no articles or blogs from before 2012 make any mention of this threat,
Oh, it was out there. Simson and I included it in our books in the 90s. I was teaching it in classes throughout the 90s & 2000s. Alec Muffett published a great story about password reuse in the 90s, too. This was an old and well-known problem. That's part of the problem with security these days -- all the people who have gotten into it recently don't study or learn the stuff that was widely known and taught before they "discovered" security. --spaf
much less academic papers (where faculty place more trust). Admittedly, the incidence of mass exposures pre-2012 wasn't what it is today, but I'm surprised that even now very few "experts" talk about this particular risk. On Wed, 2 Apr 2014, Roger A Safian wrote:--_000_2C17E27E26DEE641AEECF7583B3CAB1A25987D2Bevcspmbx1adsnor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I believe one of the benefits of changing the password is that it's not unc= ommon for web services to use an email address as a user name. If a user u= ses our address, and their associated password, and later that web service = gets compromised, there is a decent chance when the hashes are dumped that = they will have had to change our password and will no longer sync them.-- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Security Awareness Programs Joel L. Rosenblatt (Apr 02)
- Re: Security Awareness Programs Ben Woelk (Apr 02)
- Re: Security Awareness Programs Shane Williams (Apr 02)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)