Educause Security Discussion mailing list archives
Re: Interesting Research
From: "Bridges, Robert A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Tue, 2 Apr 2019 23:09:56 +0000
Alternatively, could the researcher only store interesting features of the passwords and not the passwords? For example * Length * Number of lower/upper-case, numbers, other symbols * Likelihood of the password given a model of words (e.g. created from a large vocabulary) * Likelihood of the password given a model of passwords (e.g, from pwned databases) * Distance of the password from things like the users name, username, etc. * Etc. Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, Robert A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, April 2, 2019 at 4:07 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Interesting Research Could the researcher create a relatively robust salting+hashing technique (or some kind of encryption) so the storage of the file is not decipherable by anyone else? Secondly, regardless of your SOCs answer, the researcher will need the blessing of IRB I suspect, so they may have some guidance. Sounds like it is worth it w/ some constraints---but Iām a researcher! Bobby Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Clark Gaylord <cgaylord () VT EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, April 2, 2019 at 3:05 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Interesting Research Many of us use Active Directory to store passwords. While not reversible, the hash is so weak as to effectively be storing weak passwords in clear text, being trivial to brute force these. Otoh, non hackable passwords remain secure in AD, and "harvesting" these may constitute some differential risk. That's only slightly tongue in cheek. :-) I can sympathize for wanting to have the original raw data, while at the same time recognizing that you may be able to answer the significant research questions by collapsing into "reportable summary stats" -- length, to what extent were dictionary works at play, simple tack on a numeral, etc. So what you could do is have a data gathering process report all the summary data you identify a priori, while sending the actual raw data to an encrypted file, where you escrow the private key with a trusted party. You could potentially even allow extraction of the wall passwords, even without identifying user name, while keeping the strong passwords secret. I've found showing a group of passwords the list of cracked passwords, without saying whose is whose, to have strong "pedagogical value". :-) Finally, run it by your institutional review board. The researcher should be doing that anyway, and you can inform them of these approaches, relative risks, etc. Interesting project. Curious to hear what you all decide and what the results are. Clark -- Clark Gaylord cgaylord () vt edu<mailto:cgaylord () vt edu> ... autocorrect may have improved this message ... On Tue, Apr 2, 2019, 16:11 King, Ronald A. <raking () nsu edu<mailto:raking () nsu edu>> wrote: Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is ā(heck) no,ā but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller]
Current thread:
- Interesting Research King, Ronald A. (Apr 02)
- Re: Interesting Research Jones, Mark B (Apr 02)
- Re: Interesting Research Albrecht, Travis (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)
- Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
- Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
- Re: Interesting Research Mark Poepping (Apr 09)
- <Possible follow-ups>
- Re: Interesting Research Brad Judy (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
- Re: Interesting Research Gael Frouin (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)