Educause Security Discussion mailing list archives
Re: Interesting Research
From: John McCabe <0000009ba94df455-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Tue, 2 Apr 2019 17:38:20 -0400
Hi Ron, Like you, I would say "heck no!" It may be a fool's errand but this researcher may not be familiar with the research domain. If they are just entering this field, you may need to be attentive with what they are doing on campus. See if they have read "Do Users’ Perceptions of Password Security Match Reality?," https://www.blaseur.com/papers/chi16-pwperceptions.pdf, and if so what are their thoughts on the methodology. It sidesteps recording active user passwords and considers human perceptions on password strength. Another important paper to gauge their familiarity would be "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis," http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf, which questions password expiration. A third paper would be "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords," https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf, which questions entropy-based password creation strength tests such as NIST SP 800-63 used to. Datasets are crucial in research. It is vitally important that researchers do not invest in research problems where the datasets are risky, incomplete, erroneous. The National Science Foundation requires researchers to be very mindful with respect to human test subjects, https://www.nsf.gov/bfa/dias/policy/human.jsp. Any identifying information (which the password may) OR any data that would reasonably risk harm (which may be true if the user reuses passwords) is not allowed. This research may not be funded by the NSF but the NSF policy is reasonable to most people and likely your local civil court. If this researcher acts carefree to any of this, you should alert your institution's general counsel and this researcher's supervising dean. Regards, John On Tue, Apr 2, 2019 at 4:11 PM King, Ronald A. <raking () nsu edu> wrote:
Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron *Ronald King* *Chief Information Security Officer* *Office of Information Technology* (757) 823-2916 (Office) raking () nsu edu www.nsu.edu @NSUCISO (Twitter) [image: NSU_logo_horiz_tag_4c - Smaller]
-- *John McCabe * *Senior Information Security Manager & Data Protection OfficerInformation Technology Services* [image: Manhattan College Logo/Shield] Riverdale, NY 10471 Phone: 718-862-7926 john.mccabe01 () manhattan edu www.manhattan.edu
Current thread:
- Interesting Research King, Ronald A. (Apr 02)
- Re: Interesting Research Jones, Mark B (Apr 02)
- Re: Interesting Research Albrecht, Travis (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)
- Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
- Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
- Re: Interesting Research Mark Poepping (Apr 09)
- <Possible follow-ups>
- Re: Interesting Research Brad Judy (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
(Thread continues...)