Re: Interesting Research

[Clark Gaylord <cgaylord () VT EDU>]

Many of us use Active Directory to store passwords. While not reversible,
the hash is so weak as to effectively be storing weak passwords in clear
text, being trivial to brute force these. Otoh, non hackable passwords
remain secure in AD, and "harvesting" these may constitute some
differential risk. That's only slightly tongue in cheek. :-)

I can sympathize for wanting to have the original raw data, while at the
same time recognizing that you may be able to answer the significant
research questions by collapsing into "reportable summary stats" -- length,
to what extent were dictionary works at play, simple tack on a numeral,
etc. So what you could do is have a data gathering process report all the
summary data you identify a priori, while sending the actual raw data to an
encrypted file, where you escrow the private key with a trusted party.

You could potentially even allow extraction of the wall passwords, even
without identifying user name, while keeping the strong passwords secret.
I've found showing a group of passwords the list of cracked passwords,
without saying whose is whose, to have strong "pedagogical value". :-)

Finally, run it by your institutional review board. The researcher should
be doing that anyway, and you can inform them of these approaches, relative
risks, etc.

Interesting project. Curious to hear what you all decide and what the
results are.

Clark

--
Clark Gaylord
cgaylord () vt edu
... autocorrect may have improved this message ...

On Tue, Apr 2, 2019, 16:11 King, Ronald A. <raking () nsu edu> wrote:

> Fellow security pros,
>
>
>
> I have an interesting research request come in my inbox today. A
> researcher wants to setup a portal for students to self-register with a
> username and password. The kicker is passwords will be stored in plain text
> and collected. The premise is to gauge whether students are actually
> adhering to suggested practices in password design.
>
>
>
> My first reaction is “(heck) no,” but I realize I may be overreacting. So,
> I decided to see if anyone has dealt with this kind of research and how you
> handled it.
>
>
>
> While I see the value in the research, my security senses tell me students
> will be using their standard password they use for everything. Thus big
> risk.
>
>
>
> Feel free to contact me directly.
>
>
>
> Thank you,
>
> Ron
>
>
>
> *Ronald King*
>
> *Chief Information Security Officer*
>
>
>
> *Office of Information Technology*
>
> (757) 823-2916 (Office)
>
> raking () nsu edu
>
> www.nsu.edu
>
> @NSUCISO (Twitter)
>
> [image: NSU_logo_horiz_tag_4c - Smaller]