Educause Security Discussion mailing list archives

Re: Interesting Research

From: "Bridges, Robert A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Tue, 2 Apr 2019 23:09:56 +0000

Alternatively, could the researcher only store interesting features of the passwords and not the passwords? For example

  *   Length
  *   Number of lower/upper-case, numbers, other symbols
  *   Likelihood of the password given a model of words (e.g. created from a large vocabulary)
  *   Likelihood of the password given a model of passwords (e.g, from pwned databases)
  *   Distance of the password from things like the users name, username, etc.
  *   Etc.



Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, Robert 
A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, April 2, 2019 at 4:07 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Interesting Research

Could the researcher create a relatively robust salting+hashing technique (or some kind of encryption) so the storage 
of the file is not decipherable by anyone else?

Secondly, regardless of your SOCs answer, the researcher will need the blessing of IRB I suspect, so they may have some 
guidance.

Sounds like it is worth it w/ some constraints---but I’m a researcher!

Bobby



Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Clark Gaylord 
<cgaylord () VT EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, April 2, 2019 at 3:05 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Interesting Research

Many of us use Active Directory to store passwords. While not reversible, the hash is so weak as to effectively be 
storing weak passwords in clear text, being trivial to brute force these. Otoh, non hackable passwords remain secure in 
AD, and "harvesting" these may constitute some differential risk. That's only slightly tongue in cheek. :-)

I can sympathize for wanting to have the original raw data, while at the same time recognizing that you may be able to 
answer the significant research questions by collapsing into "reportable summary stats" -- length, to what extent were 
dictionary works at play, simple tack on a numeral, etc. So what you could do is have a data gathering process report 
all the summary data you identify a priori, while sending the actual raw data to an encrypted file, where you escrow 
the private key with a trusted party.

You could potentially even allow extraction of the wall passwords, even without identifying user name, while keeping 
the strong passwords secret. I've found showing a group of passwords the list of cracked passwords, without saying 
whose is whose, to have strong "pedagogical value". :-)

Finally, run it by your institutional review board. The researcher should be doing that anyway, and you can inform them 
of these approaches, relative risks, etc.

Interesting project. Curious to hear what you all decide and what the results are.

Clark
--
Clark Gaylord
cgaylord () vt edu<mailto:cgaylord () vt edu>
... autocorrect may have improved this message ...

On Tue, Apr 2, 2019, 16:11 King, Ronald A. <raking () nsu edu<mailto:raking () nsu edu>> wrote:
Fellow security pros,

I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to 
self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The 
premise is to gauge whether students are actually adhering to suggested practices in password design.

My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with 
this kind of research and how you handled it.

While I see the value in the research, my security senses tell me students will be using their standard password they 
use for everything. Thus big risk.

Feel free to contact me directly.

Thank you,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

Current thread:

Interesting Research King, Ronald A. (Apr 02)
- Re: Interesting Research Jones, Mark B (Apr 02)
- Re: Interesting Research Albrecht, Travis (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)
  - Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
  - Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
  - Re: Interesting Research Bridges, Robert A. (Apr 02)
    - Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
  - Re: Interesting Research Mark Poepping (Apr 09)
- <Possible follow-ups>
- Re: Interesting Research Brad Judy (Apr 02)
  - Re: Interesting Research Hiram Wong (Apr 02)
    - Re: Interesting Research Gael Frouin (Apr 02)