Re: Interesting Research

[Ashlar Trystan <atrystan () UW EDU>]

That article was fascinating, thanks for sharing.

--
Ashlar Trystan
Technology Systems Specialist
UW Learning Technologies
Academic & Student Affairs
Pronouns: They/Their

Mail: Box 353080
Odegaard Library, Room 240B
Street: 4060 George Washington Lane NE, Seattle, WA, 98105
206-221-4889
atrystan () uw edu<mailto:atrystan () uw edu>

[cid:image002.png@01D24AE3.CDB4B750]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Williams
Sent: Tuesday, April 2, 2019 2:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Interesting Research

Microsoft did some similar type of research regarding password reuse back in 2006.  I have my students read this paper 
for my courses. They had 544k users opt in.  They took the Microsoft Live Toolbar and it hashed the user's password on 
any site they visited.  If they accessed another site and the password had the same hash, it would report the password 
reuse.  No data was ever stored at Microsoft except how many times a password was reused and on how many different 
sites.  You can read the paper, and you already knew that a typical user only has 5 to 6 unique passwords for 30 or so 
sites.  This is obviously different now, 13 years later.

I agree with all the other comments, but you could ask the student to look at the research paper and see how they could 
improve their research methods by not storing the password as there are so many concerns with this.

The paper is at: https://dl.acm.org/citation.cfm?id=1242661

Greg Williams, ME
Director of Operations
Office of Information Technology
Lecturer
Department of Computer Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
Phone: (719) 255-3292
Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams>
www.uccs.edu<http://www.uccs.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
Sent: Tuesday, April 2, 2019 2:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Interesting Research

Fellow security pros,

I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to 
self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The 
premise is to gauge whether students are actually adhering to suggested practices in password design.

My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with 
this kind of research and how you handled it.

While I see the value in the research, my security senses tell me students will be using their standard password they 
use for everything. Thus big risk.

Feel free to contact me directly.

Thank you,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]