Password reset warrior arrested for popping 1050 student accounts An Arizona man has been arrested for hacking 1050 email accounts at two united States universities, plus attempts to do so at some 75 other educational institutions. Jonathan Powell, 29, is alleged to have used password reset features to change logins for some 1050 accounts at the universities before breaching connected social …
2000 password resets with a student population of about 50,000 (that's just Penn State) wouldn't necessarily set of any alarms.
These days passwords have to be c0MPl3xAndL0ng! and so they are easy to forget even if you try to remember them. I have to admit that for some sites I don't even both trying to remember them - I just use the password reset "feature" whenever I need to log in.
I have been known to teach the occasional class at the local community college. They require everyone, students, staff, adjuncts, whatever, to have a 'complex' password. You know, at least three of uppercase, lowercase, numbers, symbols, a minimum of eight total characters. The usual. They also insist on users changing their passwords every 90 days. Their IT department was not amused when I pointed out that P@55worD01 exceeded their 'complexity' requirements, and that merely changing the trailing two digits would give me 100 changes of password, or 300 months worth. They went to the trouble of adding code to detect P@55worD01, et al, and banning the use of numbers as the last two digits. So I use an equally inane password, this time with the two numbers that I change every 90 days buried in the middle of the password, the rest of which never changes. My only problem is remembering how which two numbers are in use this month. Now, if they were serious about password security, they'd bin the 'complex' crap and allow passphrases. you know, stuff that can be easily remembered but is hard to guess or to crack using normal password cracking methods. Things like, oh, tennoheikabanzai. ('May the Emperor reign 10,000 years.' Yes. Really.) No need for 'forgot password' crap if you remember the passphrase...
There are some password rules that come close to making the password useless - and lead to post-it notes if they're used regularly and resets if they're used occasionally..
But my favourite idiocy is school passwords that need to be changed every 30 days and can't be repeated. Apart from the simple fact that no one can keep thinking of and remembering new passwords, teachers seldom have time to faff about. You can't keep a class waiting while you sit trying to log in to the computer. And of course the first day of each term most of the passwords have expired - (possibly all of them in September) and in some schools/authorities have to be reset by the LA IT team, who have to be phoned.......
I understand why, we want the highest security possible, especially for schools. But make a password impossible to use and it gets undermined.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
