Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passwords & Passphrases

From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Mon, 19 Nov 2007 19:06:53 -0700
--- Begin Message --- 
Gene spafford wrote from Purdue:


I track these things, and I cannot recall the last time I saw any
report of an incident caused by a guessed password.  Most common
incidents are phishing, trojans, snooping, physical theft of sensitive
media, and remote exploitation of bugs.


What finally prompted us to get off our "any 4 or more characters"
butts was dictionary attacks that were hitting our proxy server
and VPN server from Chinese IP addresses.  Once past our firewall
through proxy or VPN they are able to snoop our network from inside
probing machines undetected,  and do unappreciated things like
download subscription databases from the library until the provider
got suspicious of the traffic.

That doesn't leave me feeling like I'm just pretending to
provide security by doing something easy that looks important.

We still deal with phishing, trojans and all manner of scanning
probes for vulnerabilities and all those things that make us
feel like we really are earning our paycheck.

Bob
Utah State University

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: