Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 14 Apr 2010 11:54:32 -0400
On 4/14/2010 9:42 AM, SCHALIP, MICHAEL wrote:
So - this does beg the question - even though longer passwords are theoretically harder to "crack", who cares....the bad guys are just going to go around them anyway....?
For obtaining arbitrary usernames/passwords "in bulk", phishing is disturbingly effective. I am reminded of this on an increasing basis as each phishing run we see slip by our spam appliances is followed shortly thereafter by spamming runs from the bad guys using credentials they managed to collect from the same run. Questioning the "victims" afterward (accounts are disabled, user calls helpdesk) confirm the cause-and-effect that they indeed responded (generally speaking, there are some cases of 'plausible deniability'...). Combine this with the user trend of often using the same usernames/passwords for multiple sites, and/or the increasing "strategic objective" of localized single signons, and the situation takes on an entirely different viewpoint. You need only "phish" one targeted use of credentials and you gain the keys to the kingdom. Complex passwords may help in a *targeted* attack on an *educated* user with *valued* assets, but that is the opposite end of the spectrum from these bulk credential thefts [e.g., nuclear launch codes vs spamming credentials for webmail]. Hopefully the former category will employ 2FA or other mechanisms "out-of-band" from the second category, and less susceptible to MITM / keylogger / replay transit capture. In other words, incredibly complicated passwords are of no added value when the user simply gives them away (voluntarily via phish or covertly via keylogger). Jeff
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
(Thread continues...)