Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Benjamin Bennett <ben () PSC EDU>
Date: Mon, 19 Nov 2007 22:24:45 -0500
Gene Spafford wrote:
I track these things, and I cannot recall the last time I saw any report of an incident caused by a guessed password. Most common incidents are phishing, trojans, snooping, physical theft of sensitive media, and remote exploitation of bugs.
I see intrusions as a result of guessed passwords probably a couple times a year. IIRC, they have always been horrendously weak passwords and come with a statement such as "I didn't realize that service was remotely accessible" or "it was supposed to be temporary" Many people are not aware of the methods used by attackers, or even why someone would want to attack their machine. To these people measures such as passwords are simply a hassle they don't want to deal with, one that is minimized by choosing "password" or "changeme". Take your environment into account when outlining a password policy. If your users are all security-minded folks (by choice or by having it beaten into them), perhaps you don't need the policy. If some portion of your users are the type I just described and you see these types of incidents, perhaps a policy is well worth your time. Oh, and if those users tend to be fluent in other languages you may want to include foreign dictionaries in your policy as well. --ben
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
(Thread continues...)