In the latest in a long line of compromised password databases, we hear that the University of New South Wales has had a password database compromised.
This is interesting for several reasons :-
- UNSW is an HE-sector institute so the level of embarrassment is very comparable to the level of embarrassment we would suffer if we were to be have the same sort of data stolen.
- UNSW had a web-based application which accessed data from a database which contained passwords – itself a bad thing and if necessary would be a big flag that the application would have to be approached very carefully to minimise the risk of flaws.
- The best guess is that these passwords were initial passwords in that they were created as part of the account creation process and the relevant students were expected (if not forced) to use these passwords only once before setting a more reasonable password. Only it is quite probable that the initial passwords were not removed from the database after being issued.
- The passwords themselves are “interesting” as they are relatively short (7-8 characters is really no longer long enough for a password), and to make an attacker’s life easier are simple pronounceable syllables.
The striking thing about the Naked Security commentary is the clear indication that they do not really understand the account management problems in the HE sector. Which is probably close to the worst case scenario for account management – not many organisations can expect a significant proportion of their account holders to turn up on one particular day and ask for their account passwords. Indeed there are probably more accounts being handed out to students on one day in “September” than there are members of staff!
In such circumstances, there is a great deal of pressure to make things just a little bit easier for the students concerned – handing out account details over the web in advance, making the passwords easier for the students, etc. All very understandable, but each such step makes the security of all the accounts just a little weaker. And using weak passwords for initial passwords encourages the further use of weak passwords – most people are likely to take their initial password as an example of a sensible password. Even if they are told that this initial password is weak and should be made stronger.
Bear in mind that often students (especially foreign students) often rely on being able to connect to the Internet to let their families know that they have arrived safely – and a delay in allowing them access to the Internet because of a password issue is not welcome.
Switching to a model where students create their own accounts – at the very least provide their own passwords (but preferably usernames too) – would seem to be the way forward, providing that the passwords are not stored in plain text form. Of course getting to that destination may require the assignment of scarce resources, and so is likely to impact on other projects.