Educause Security Discussion mailing list archives

Re: Interesting Research

From: "Tanner, Andrea" <atanner3 () CCBCMD EDU>
Date: Tue, 2 Apr 2019 23:13:54 +0000

Hi Ron,

In addition to the awesome feeback discussed here already, my main issue is consent. Are the users aware of what this 
site would be doing and do they know enough about security to truly give informed consent?  I suspect not. I would have 
a hard time seeing it get by a quality IRB because of that.  And I ask myself: if my sister asked me about 
participating in a research project like this as a subject, what would I tell her? I would tell her to run away or use 
a fake password.  So, if it is a fake password what is the real value of the study...

If the site (or a data dump) gets hacked (or a researcher or student on the team is not ethical and sells or uses the 
information for personal gain) then what?  Can you imagine the press?  If these are real usernames and passwords and we 
know people re-use passwords, I think it’s too risky.

Can they study password lists already out there on the dark web instead?

Andrea
Pronouns: She/Her/Hers

Andrea Tanner, M.S. | Senior Director, Technology Support | Community College of Baltimore County
Phone: 443-840-4155<tel:443-840-4155>  | Catonsville Campus CLLB 104B       | atanner3 () ccbcmd edu<mailto:atanner3 () 
ccbcmd edu>
CCBC. The incredible value of education.


On Apr 2, 2019, at 4:11 PM, King, Ronald A. <raking () nsu edu<mailto:raking () nsu edu>> wrote:

CAUTION: This email originated from outside of CCBC. Do not click links or open attachments unless you recognize the 
sender and know the content is safe.

Fellow security pros,

I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to 
self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The 
premise is to gauge whether students are actually adhering to suggested practices in password design.

My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with 
this kind of research and how you handled it.

While I see the value in the research, my security senses tell me students will be using their standard password they 
use for everything. Thus big risk.

Feel free to contact me directly.

Thank you,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C01618b5d6f604c188bc508d6b7a7579a%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636898326690550553&sdata=vqjw8EDrS7nYDZw2OAT%2FP8FMb4OxDgHtaqjX1AyCQ2E%3D&reserved=0>
@NSUCISO (Twitter)
<image001.png>

Current thread:

Re: Interesting Research, (continued)
- Re: Interesting Research Jones, Mark B (Apr 02)
- Re: Interesting Research Albrecht, Travis (Apr 02)
- Re: Interesting Research Laverty, Patrick (Apr 02)
  - Re: Interesting Research Barton, Robert W. (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)
  - Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
  - Re: Interesting Research Bridges, Robert A. (Apr 02)
    - Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
  - Re: Interesting Research Mark Poepping (Apr 09)
- Re: Interesting Research Brad Judy (Apr 02)
  - Re: Interesting Research Hiram Wong (Apr 02)
    - Re: Interesting Research Gael Frouin (Apr 02)