Educause Security Discussion mailing list archives
Re: Interesting Research
From: Ashlar Trystan <atrystan () UW EDU>
Date: Tue, 2 Apr 2019 21:25:07 +0000
That article was fascinating, thanks for sharing. -- Ashlar Trystan Technology Systems Specialist UW Learning Technologies Academic & Student Affairs Pronouns: They/Their Mail: Box 353080 Odegaard Library, Room 240B Street: 4060 George Washington Lane NE, Seattle, WA, 98105 206-221-4889 atrystan () uw edu<mailto:atrystan () uw edu> [cid:image002.png@01D24AE3.CDB4B750] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Williams Sent: Tuesday, April 2, 2019 2:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Interesting Research Microsoft did some similar type of research regarding password reuse back in 2006. I have my students read this paper for my courses. They had 544k users opt in. They took the Microsoft Live Toolbar and it hashed the user's password on any site they visited. If they accessed another site and the password had the same hash, it would report the password reuse. No data was ever stored at Microsoft except how many times a password was reused and on how many different sites. You can read the paper, and you already knew that a typical user only has 5 to 6 unique passwords for 30 or so sites. This is obviously different now, 13 years later. I agree with all the other comments, but you could ask the student to look at the research paper and see how they could improve their research methods by not storing the password as there are so many concerns with this. The paper is at: https://dl.acm.org/citation.cfm?id=1242661 Greg Williams, ME Director of Operations Office of Information Technology Lecturer Department of Computer Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 136A) Colorado Springs, CO 80918 Phone: (719) 255-3292 Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams> www.uccs.edu<http://www.uccs.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Tuesday, April 2, 2019 2:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller]
Current thread:
- Interesting Research King, Ronald A. (Apr 02)
- Re: Interesting Research Jones, Mark B (Apr 02)
- Re: Interesting Research Albrecht, Travis (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)
- Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
- Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
- Re: Interesting Research Mark Poepping (Apr 09)
- <Possible follow-ups>
- Re: Interesting Research Brad Judy (Apr 02)
(Thread continues...)