Educause Security Discussion mailing list archives
Re: SECURITY Digest - 1 Apr 2019 to 2 Apr 2019 - Special issue (#2019-56)
From: Kristi Olson <olsokris () ISU EDU>
Date: Tue, 2 Apr 2019 16:11:08 -0600
I to would also say no. Just think of the liability if such a file were found. I wonder if they could get a score on the complexity of the password and store that rather then a password itself. On Tue, Apr 2, 2019 at 3:35 PM SECURITY automatic digest system < LISTSERV () listserv educause edu> wrote:
There are 10 messages totalling 10448 lines in this issue. Topics in this special issue: 1. Interesting Research (10) ---------------------------------------------------------------------- Date: Tue, 2 Apr 2019 20:01:03 +0000 From: "King, Ronald A." <raking () NSU EDU> Subject: Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ Date: Tue, 2 Apr 2019 20:14:37 +0000 From: Brad Judy <brad.judy () CU EDU> Subject: Re: Interesting Research Given the popularity of password reuse, I think there is the potential for ethical and security concerns in this research. Have they run it by the Institutional review board yet? Human subject research that potentially puts passwords at risk that might be used for a variety of personal, financial, social, etc. purposes needs to have appropriate controls and monitoring. How would they be incentivizing students to use this portal? Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "King, Ronald A." <raking () NSU EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, April 2, 2019 at 2:11 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ Date: Tue, 2 Apr 2019 20:20:09 +0000 From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU> Subject: Re: Interesting Research I suggest that the analysis of the chosen password be done at the time it is set before the password is protected. It requires that the collection tool be more complicated, but the dataset would be too dangerous left in clear text. * Allow the user to set any password they like * Apply any 'password strength algorithm' that would usually be applied before allowing the password * Record the results of the strength algorithm * Protect the chosen password as it is stored From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, April 02, 2019 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Interesting Research **** EXTERNAL EMAIL **** Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu< https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu_&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=9KkXBqRl0WZrydfb0oXt6rX5EwNiz_sQnNTR2sMHlgI&s=k0Ji8B4x7IaVr2LuFwcbBGeopwPAXMktXW9DyVdR6BE&e=@NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ Date: Tue, 2 Apr 2019 13:23:53 -0700 From: Hiram Wong <hiram.wong () DOMAIL MARICOPA EDU> Subject: Re: Interesting Research Hi Ron, Another concern is liability issues if the information collected is compromised. You may want to run this by you Legal Counsel and Risk Management. Hiram On Tue, Apr 2, 2019 at 1:14 PM Brad Judy <brad.judy () cu edu> wrote:Given the popularity of password reuse, I think there is the potentialforethical and security concerns in this research. Have they run it by the Institutional review board yet? Human subject research that potentially puts passwords at risk that might be used for a variety of personal, financial, social, etc. purposes needs to have appropriate controls and monitoring. How would they be incentivizing students to use this portal? Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu [image: cu-logo_fl] *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "King, Ronald A." <raking () NSU EDU> *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Tuesday, April 2, 2019 at 2:11 PM *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plaintextand collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting.So,I decided to see if anyone has dealt with this kind of research and howyouhandled it. While I see the value in the research, my security senses tell mestudentswill be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron *Ronald King* *Chief Information Security Officer* *Office of Information Technology* (757) 823-2916 (Office) raking () nsu edu www.nsu.edu @NSUCISO (Twitter) [image: NSU_logo_horiz_tag_4c - Smaller]-- [image: eSig Logo] Hiram Wong, CISA, CISM Internal Audit 2411 West 14th Street, Tempe AZ 85281 phone | 480-731-8827 email | @domail.maricopa.edu website | https://www.maricopa.edu [image: eSig facebook] <https://www.facebook.com/maricopa.edu>[image: eSig twitter] <https://twitter.com/mcccd>[image: eSig linkedin] <https://www.linkedin.com/company/maricopa-community-colleges>[image: eSig youtube] <https://www.youtube.com/user/themcccdEDU>[image: eSig instagram] <https://instagram.com/maricopacc/> [image: facebook] <http://www.facebook.com/maricopa.edu> ------------------------------ Date: Tue, 2 Apr 2019 16:27:35 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU> Subject: Re: Interesting Research Instead of storing the password in plain text, wouldn't it be better to run the quality checks on the password upon registration of the account (or password change)? If your quality rules are defined and assess prior to storage, you would eliminate the risk of insecure storage while maintaining the ability to report on the password quality criteria that were defined. Gaël On Tue, Apr 2, 2019 at 16:24 Hiram Wong <hiram.wong () domail maricopa edu> wrote:Hi Ron, Another concern is liability issues if the information collected is compromised. You may want to run this by you Legal Counsel and Risk Management. Hiram On Tue, Apr 2, 2019 at 1:14 PM Brad Judy <brad.judy () cu edu> wrote:Given the popularity of password reuse, I think there is the potential for ethical and security concerns in this research. Have they run it bytheInstitutional review board yet? Human subject research that potentially puts passwords at risk that might be used for a variety of personal, financial, social, etc. purposes needs to have appropriate controls and monitoring. How would they be incentivizing students to use this portal? Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=gDenver, CO 80203 <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=gOffice: (303 <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO+%C2%A080203+%0D%0A+Office:+(303&entry=gmail&source=g)860-4293 Fax: (303) 860-4302 www.cu.edu [image: cu-logo_fl] *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "King, Ronald A." <raking () NSU EDU> *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Tuesday, April 2, 2019 at 2:11 PM *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plaintextand collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research andhowyou handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron *Ronald King* *Chief Information Security Officer* *Office of Information Technology* (757) 823-2916 (Office) raking () nsu edu www.nsu.edu @NSUCISO (Twitter) [image: NSU_logo_horiz_tag_4c - Smaller]-- [image: eSig Logo] Hiram Wong, CISA, CISM Internal Audit 2411 West 14th Street, Tempe AZ 85281 <https://maps.google.com/?q=2411+West+14th+Street,+Tempe+AZ+85281&entry=gmail&source=gphone | 480-731-8827 email | @domail.maricopa.edu website | https://www.maricopa.edu [image: eSig facebook] <https://www.facebook.com/maricopa.edu>[image: eSig twitter] <https://twitter.com/mcccd>[image: eSig linkedin] <https://www.linkedin.com/company/maricopa-community-colleges>[image: eSig youtube] <https://www.youtube.com/user/themcccdEDU>[image: eSig instagram] <https://instagram.com/maricopacc/> [image: facebook] <http://www.facebook.com/maricopa.edu>------------------------------ Date: Tue, 2 Apr 2019 20:42:43 +0000 From: "Albrecht, Travis" <albrecht () UWGB EDU> Subject: Re: Interesting Research If the goal is to "gauge whether students are actually adhering to suggested practices in password design", why capture username at all? Travis Albrecht INFORMATION TECHNOLOGY SECURITY OFFICER ............................................................................................ Information Technology Division UW-Green Bay, 2420 Nicolet Drive, Green Bay, WI 54311 tel: (920) 465-2974 | e-mail: albrecht () uwgb edu<mailto:albrecht () uwgb eduFrom: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, April 2, 2019 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ Date: Tue, 2 Apr 2019 16:56:57 -0400 From: "Laverty, Patrick" <patrick_laverty () BROWN EDU> Subject: Re: Interesting Research I would also say to not participate in this research. If you really want to test whether your students are adhering, then do some password cracking of the stored hashes. Or at a minimum, hash some really weak passwords, and compare those hashes to what your students are using. And if you want to know if some of your students have chosen weak passwords, the answer is yes. :) On Tue, Apr 2, 2019 at 4:11 PM King, Ronald A. <raking () nsu edu> wrote:Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plaintextand collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting.So,I decided to see if anyone has dealt with this kind of research and howyouhandled it. While I see the value in the research, my security senses tell mestudentswill be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron *Ronald King* *Chief Information Security Officer* *Office of Information Technology* (757) 823-2916 (Office) raking () nsu edu www.nsu.edu @NSUCISO (Twitter) [image: NSU_logo_horiz_tag_4c - Smaller]------------------------------ Date: Tue, 2 Apr 2019 20:59:38 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU> Subject: Re: Interesting Research Always error on the side of paranoia. Your gut feels are good. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laverty, Patrick Sent: Tuesday, April 2, 2019 3:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Interesting Research I would also say to not participate in this research. If you really want to test whether your students are adhering, then do some password cracking of the stored hashes. Or at a minimum, hash some really weak passwords, and compare those hashes to what your students are using. And if you want to know if some of your students have chosen weak passwords, the answer is yes. :) On Tue, Apr 2, 2019 at 4:11 PM King, Ronald A. <raking () nsu edu<mailto: raking () nsu edu>> wrote: Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is “(heck) no,” but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Tue, 2 Apr 2019 21:21:21 +0000 From: Greg Williams <gwillia5 () UCCS EDU> Subject: Re: Interesting Research Microsoft did some similar type of research regarding password reuse back in 2006. I have my students read this paper for my courses. They had 544k users opt in. They took the Microsoft Live Toolbar and it hashed the user's password on any site they visited. If they accessed another site and the password had the same hash, it would report the password reuse. No data was ever stored at Microsoft except how many times a password was reused and on how many different sites. You can read the paper, and you already knew that a typical user only has 5 to 6 unique passwords for 30 or so sites. This is obviously different now, 13 years later. I agree with all the other comments, but you could ask the student to look at the research paper and see how they could improve their research methods by not storing the password as there are so many concerns with this. The paper is at: https://dl.acm.org/citation.cfm?id=1242661 Greg Williams, ME Director of Operations Office of Information Technology Lecturer Department of Computer Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 136A) Colorado Springs, CO 80918 Phone: (719) 255-3292 Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx< https://uccs.webex.com/meet/gregwilliams> www.uccs.edu<http://www.uccs.edu/> From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, April 2, 2019 2:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu< https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0@NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ Date: Tue, 2 Apr 2019 21:25:07 +0000 From: Ashlar Trystan <atrystan () UW EDU> Subject: Re: Interesting Research That article was fascinating, thanks for sharing. -- Ashlar Trystan Technology Systems Specialist UW Learning Technologies Academic & Student Affairs Pronouns: They/Their Mail: Box 353080 Odegaard Library, Room 240B Street: 4060 George Washington Lane NE, Seattle, WA, 98105 206-221-4889 atrystan () uw edu<mailto:atrystan () uw edu> [cid:image002.png@01D24AE3.CDB4B750] From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Williams Sent: Tuesday, April 2, 2019 2:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Interesting Research Microsoft did some similar type of research regarding password reuse back in 2006. I have my students read this paper for my courses. They had 544k users opt in. They took the Microsoft Live Toolbar and it hashed the user's password on any site they visited. If they accessed another site and the password had the same hash, it would report the password reuse. No data was ever stored at Microsoft except how many times a password was reused and on how many different sites. You can read the paper, and you already knew that a typical user only has 5 to 6 unique passwords for 30 or so sites. This is obviously different now, 13 years later. I agree with all the other comments, but you could ask the student to look at the research paper and see how they could improve their research methods by not storing the password as there are so many concerns with this. The paper is at: https://dl.acm.org/citation.cfm?id=1242661 Greg Williams, ME Director of Operations Office of Information Technology Lecturer Department of Computer Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 136A) Colorado Springs, CO 80918 Phone: (719) 255-3292 Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx< https://uccs.webex.com/meet/gregwilliams> www.uccs.edu<http://www.uccs.edu/> From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Tuesday, April 2, 2019 2:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu< https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca5027abee9a545b553fb08d6b7a75903%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C636898326747116750&sdata=mXcWReUmOzlC3fXfkGEUEON6yBQGrzNSeBCyJQSghQY%3D&reserved=0@NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ------------------------------ End of SECURITY Digest - 1 Apr 2019 to 2 Apr 2019 - Special issue (#2019-56) ****************************************************************************
-- Kristi Olson Director Information Security - Information Technology Services Idaho State University olsokris () isu edu 208-282-3129 http://www.isu.edu Discover Opportunity
Current thread:
- Re: SECURITY Digest - 1 Apr 2019 to 2 Apr 2019 - Special issue (#2019-56) Kristi Olson (Apr 02)