Educause Security Discussion mailing list archives
Re: Interesting Research
From: Mark Poepping <poepping () CMU EDU>
Date: Tue, 9 Apr 2019 23:11:15 +0000
Just my opinion... Based on the work done locally and the assistance I've provided over the years... This is an unnecessary risk. We first said 'no' to a similar data request over 25 years ago. I don't believe there is any reason for anyone to collect and hold passwords, encrypted or not (except the password tools a user might use, or a recovery vault with an enterprise key). Our general approach is to respectfully ask a researcher: what might be the minimal data needed to test the hypothesis? We have found most security researchers to appreciate this approach and come back with a *much better* proposal (or not come back). Several years ago we supported an experiment to test the effective entropy in passwords actually selected by local users (driven by a 'global reset') - the same base data that you're talking about, I think - we did it all without anyone seeing or ever storing passwords (researchers wrote all the code - we vetted the safety and anonymity of the data export, with IRB approval). I'd start by suggesting they calculate a strength vector with a unique but unmappable identifier to support longitudinal analysis (e.g. give them a username if this is a controlled test) - that should make the data safe, period. To two of your specific points: #2 - there are several ideas: test the strength of 5000 password from users without training and 5000 with training, compare results; or test 5000 untrained users, then train them and test again. This is a little weird anyway, since most password systems enforce some rules, and that'll affect applicability of the results. #3 - usually people will want username as a dangerous indicator of uniqueness (map pre-training to post-training) - you can do the same with a non-reversible (and non-public) hash - be careful to avoid replay because it defeats non-reversibility. i.e. If I have your list of usernames and your hash function, I can map all your usernames to the hashes - don't need to reverse it. Finally, be careful of the claim that it's "just an experiment, the passwords aren't real, we just ask them to make one up"... Even if you tell people not to use any password they currently use, there's no assurance of that so the data is still a risk. Basically, collect only what you really need. Hope it helps. Mark. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, April 9, 2019 2:54 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Interesting Research Thank you all for responding. This is great info I will be sharing with the researcher, our IRB, our CIO and possibly legal. Some quick replies to questions: * The IRB has yet to approve this research. * Using a tool to analyze a password to detect strength: the idea of the research is to see if training on strong passwords paid off. Such a tool may or may not work as I would think we would need to know the strength before and after the training. * I am not sure why they need username. I will follow up. * I hadn't thought of the privacy impact, but, now that I have, the risk has grown. o (I foresee) Then getting consent or warning the student ahead of time would logically lead to a student adapting momentarily and invalidating the research. * I do not know if the VCR/VPR is involved in this. Our CIO knows and is of the same mindset I am. I still keep coming back to the password reuse. In my 3 months back here, I have talked with one student who's banking info was changed in our student system. Should this DB end up in the wrong hands, it will get worse. Reading list (Thank you much for these!): https://dl.acm.org/citation.cfm?id=1242661 (Microsoft password reuse, 2006) https://www.blaseur.com/papers/chi16-pwperceptions.pdf, "Do Users' Perceptions of Password Security Match Reality?" http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf, "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis" https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf, "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords" https://www.nsf.gov/bfa/dias/policy/human.jsp (NSF Human Use) https://www.slideshare.net/JISC/password-lifespans-at-ucl-a-training-opportunity, (UCL in the UK sliding scale of password strength and renewal time frame) Thanks again for all the valuable input! Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Tuesday, April 2, 2019 4:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Interesting Research Fellow security pros, I have an interesting research request come in my inbox today. A researcher wants to setup a portal for students to self-register with a username and password. The kicker is passwords will be stored in plain text and collected. The premise is to gauge whether students are actually adhering to suggested practices in password design. My first reaction is "(heck) no," but I realize I may be overreacting. So, I decided to see if anyone has dealt with this kind of research and how you handled it. While I see the value in the research, my security senses tell me students will be using their standard password they use for everything. Thus big risk. Feel free to contact me directly. Thank you, Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller]
Current thread:
- Re: Interesting Research, (continued)
- Re: Interesting Research Greg Williams (Apr 02)
- Re: Interesting Research Ashlar Trystan (Apr 02)
- Re: Interesting Research John McCabe (Apr 02)
- Re: Interesting Research Clark Gaylord (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Bridges, Robert A. (Apr 02)
- Re: Interesting Research Tanner, Andrea (Apr 02)
- Re: Interesting Research Von Welch (Work) (Apr 02)
- Re: Interesting Research John Chapman (Apr 03)
- Re: Interesting Research King, Ronald A. (Apr 09)
- Re: Interesting Research Mark Poepping (Apr 09)
- Re: Interesting Research Brad Judy (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
- Re: Interesting Research Gael Frouin (Apr 02)
- Re: Interesting Research Hiram Wong (Apr 02)
- Re: Interesting Research Greg Williams (Apr 02)