cancel
Showing results for 
Search instead for 
Did you mean: 

Legal issue

acecs
Dabbler
Posts: 10
Registered: 17-09-2007

Legal issue

Is it legal for the provider of a service to dictionary-attack their user database for passwords? The university I am currently at university and the computing department is attempting this to ensure password strength. There is no clause in the tos that agrees to them doing such a thing. It is assumed that as the provider of the service, they can do what they like with the password information, but I am not so convinced to be honest. Data protection act seems highlighted most.
14 REPLIES
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Legal issue

I can't see how it's a DPA issue, as it's not personal information.
Ethically, it seems potentially dubious.  However, technically it's actually probably a good idea to ensure password strengths.
However, a better way would be to ensure that the user is only *allowed* to change their password to one that matches a particular cipher strength
B.
LiamM
Grafter
Posts: 5,636
Registered: 12-08-2007

Re: Legal issue

If it were me, I'd rather my University was trying to break in and alerting users where passwords are too soft than hackers gaining entry.
MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

I find it quite disconcerting that the Universitys IT department would be attempting to dictionary-attack their users. I agree with Barry on this one; It would make much more sense for them to set up a password cipher which only allows particular strengths of password (which would factor in disallowing dictionary-based words, etc).
Change your password to "DontSpyOnMe" Cheesy
paulby
Grafter
Posts: 1,619
Registered: 26-07-2007

Re: Legal issue

Quote
Change your password to "DontSpyOnMe"

Or should that be "D0n7Spy0nM3" Smiley

VileReynard
Seasoned Pro
Posts: 10,588
Thanks: 193
Fixes: 9
Registered: 01-09-2007

Re: Legal issue

Quote from: acecs
Is it legal for the provider of a service to dictionary-attack their user database for passwords?

Perhaps they have lost everyone's password?

MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

Quote from: axisofevil
Quote from: acecs
Is it legal for the provider of a service to dictionary-attack their user database for passwords?

Perhaps they have lost everyone's password?

Then they wouldn't dictionary-attack, they'd brute force/use rainbow tables.
Seems like an IT dept with the right idea, but the wrong methods.
MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

Depends if they could decrypt the hashes (doesn't say which algorithm is being used, could be salted triple MD5 Tongue)
It would take a lot less effort and time on the techys part to simply get their password ciphers setup to not allow weak passwords, as I said before (if they can't do it they need to take a good look at themselves!).
I agree with James that its more than likely just propaganda. MITM monitoring of the network would be a bit excessive though, don't you think James?
MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

Instead of using more hardware/increasing power consumtion to monitor traffice between clients and authentication servers, why not simply ensure your authentication system is doing its job well prior to accepting the chosen password as good enough, cutting out all the added expense?
I agree that it's quite possibly simply to scare people into using stronger passwords, although they could make the job so much easier for themselves (e.g. new passwords must contain at least 8 characters, at least 2 must be numeric and at least 2 must be non-alphanumeric). Would make their lives a lot easier Tongue
MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

I guess it was! The OP could suggest our observations to the IT dept, or we can just stop filling his thread with what they should be doing Tongue hehe.
VileReynard
Seasoned Pro
Posts: 10,588
Thanks: 193
Fixes: 9
Registered: 01-09-2007

Re: Legal issue

Quote from: James_H
The password will all be in one DB somewhere that they can access.

I hope not!
They should not be storing passwords in any form.
They should be using a strictly one-way encryption where they check that user+password matches a stored hash.

MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

Of course the passwords are stored somewhere Jeremy, else how will the authentication take place? Wink
James meant the password hashes are stored in a database, and that the hashes can be accessed (being the network administrators, they have access to it) and then decrypted.
VileReynard
Seasoned Pro
Posts: 10,588
Thanks: 193
Fixes: 9
Registered: 01-09-2007

Re: Legal issue

Quote from: MikeWhitehead
Of course the passwords are stored somewhere Jeremy, else how will the authentication take place? Wink

The important feature is that no passwords are stored. The result of a one-way algorithm derived from user+password is stored. Because it is one-way, knowledge of the user name and the stored hash does not allow the password to be generated.
There are certain similarities with public key encryption.
Think of the user name as the public key and the password as the private key...

MikeWhitehead
Grafter
Posts: 748
Registered: 19-08-2007

Re: Legal issue

I just wrote a big long reply there but couldn't be bothered to read through it all again to make sure I never made any errors so here's a shortened form of it:
Even if it is a one-way algorithm, this doesn't say "Sorry, you'll never find out what it is now". If you have access to the machine, you can dump the hashes very easily with a single tool, then use something like ...another single tool Tongue, et viola, you have the given passwords.
acecs
Dabbler
Posts: 10
Registered: 17-09-2007

Re: Legal issue

It is probably right to assume that it was only mentioned for the sake of increasing network security, a legal objection just would have made it easier for them to admit it Tongue I agree they are going the wrong way about it when it would be so easy to increase the security just by ensuring passwords contain a combination of letters, numbers and maybe diffent case letters. In effect, their scare tactics are a bad solution to a simple problem, and even then they are not guaranteed success.