RE: User Passwords and security risks

[damien () xyplex org]

Greetings,

Since there is a lack of data in this area I am going to conduct a study. 
Anyone interested in participating? Details can be found at www.xyplex.org

Regards,

Damien Manuel.

At 08:47 AM 7/05/2004 +0200, J. Rappard wrote:
> Hi Damien,
>
> I'd say Gartner must have some on this? The buzz is that passwords and
> usernames are NOT safe at all for at least 80% of the users is using the
> good old 3M method (notes sticking on monitors and under keyboards).
>
> I think a study would be welcome, question is how to get users to answer a
> questionaire.
>
> I'd like to be informed of any new insights. Thanks in advance.
>
> With kind regards,
>
> Jasper Rappard
>
> -----Original Message-----
> From: Damien Manuel [mailto:dm () xyplex org]
> Sent: Thursday, May 06, 2004 11:44 AM
> To: Edward Miller; Damien Manuel
> Cc: security-basics () securityfocus com
> Subject: Re: User Passwords and security risks
>
> Greetings,
>
> It appears that there is a real lack of statistical and informational
> evidence in this area.
>
> Would anyone be interested in participating in a study to determine the real
> risks? Would it be worth doing? Anyone interested in helping if it is of
> value?
>
> Regards,
>
> Damien Manuel
>
> At 04:59 PM 4/05/2004 -0400, Edward Miller wrote:
>
>
>
>
> >Damien, I wish I had some statistics in that area as well, but I
> >haven't come across any. However, here is a little analogy that I have
> >used in Security Awareness training about passwords. I wish I could
> >take credit for creating it because it always gets a good laugh. The
> >best part I think is that every user will remember two or three of these at
> least:
> >
> >Passwords Are Like Underwear
> >
> >1. Change yours often.
> >2. Don't leave it lying around.
> >3. Don't share yours with anyone else.
> >4. The longer the better.
> >5. Be mysterious.
> >
> >
> >Ed Miller
> >
> >
> >
> >
> >
>  >
>                        Damien
> Manuel
>
>                        <dm () xyplex org>          To:
> security-basics () securityfocus com
> >                                                cc:
>  >
>                        05/03/2004 04:41         Subject:  User Passwords
> and security risks
> >                       AM
>  >
>
>
>
>
>
>
>
> >
> >
> >
> >Greetings,
> >
> >Does anyone have any statistics or raw data on the risks associated
> >with user based passwords in terms of the frequency of easily guessable
> >passwords and how different password policies and user education
> >affects the outcome?
> >
> >Regards,
> >
> >Damien Manuel, CISSP.
> >
> >-----------------------------------------------------------------------
> >---- Ethical Hacking at the InfoSec Institute. Mention this ad and get
> >$545 off any course! All of our class sizes are guaranteed to be 10
> >students or less
> >
> >to facilitate one-on-one interaction with one of our expert instructors.
> >Attend a course taught by an expert instructor with years of
> >in-the-field pen testing experience in our state of the art hacking
> >lab. Master the skills of an Ethical Hacker to better assess the
> >security of your organization.
> >Visit us at:
> >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >-----------------------------------------------------------------------
> >-----
> >
> >
> >
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------