Re: Security Awareness Programs

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

On Apr 2, 2014, at 5:23 PM, Shane Williams <shanew () ISCHOOL UTEXAS EDU> wrote:

> I've recently had this discussion with our faculty, and this was the
> point I kept making, all the while referring to the "mass password
> exposure" of the week.  Unfortunately, almost no articles or blogs
> from before 2012 make any mention of this threat,

Oh, it was out there.  Simson and I included it in our books in the 90s.  I was teaching it in classes throughout the 
90s & 2000s.  Alec Muffett published a great story about password reuse in the 90s, too.

This was an old and well-known problem.  That's part of the problem with security these days -- all the people who have 
gotten into it recently don't study or learn the stuff that was widely known and taught before they "discovered" 
security.

--spaf

> much less academic
> papers (where faculty place more trust).  Admittedly, the incidence of
> mass exposures pre-2012 wasn't what it is today, but I'm surprised
> that even now very few "experts" talk about this particular risk.
>
>
> On Wed, 2 Apr 2014, Roger A Safian wrote:
>
> > --_000_2C17E27E26DEE641AEECF7583B3CAB1A25987D2Bevcspmbx1adsnor_
> > Content-Type: text/plain; charset="us-ascii"
> > Content-Transfer-Encoding: quoted-printable
> >
> > I believe one of the benefits of changing the password is that it's not unc=
> > ommon for web services to use an email address as a user name.  If a user u=
> > ses our address, and their associated password, and later that web service =
> > gets compromised, there is a decent chance when the hashes are dumped that =
> > they will have had to change our password and will no longer sync them.
>
> -- 
> Shane Williams
> Senior Information Technology Manager
> School of Information, University of Texas at Austin
> shanew () ischool utexas edu - 512-471-9471