Bugtraq mailing list archives

Re: Not so much a bug as a warning of new brute force attack

From: Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu)
Date: Tue, 4 Jun 1996 14:39:41 -0400


--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: text/plain; charset=us-ascii

On Tue, 04 Jun 1996 10:12:13 BST, you said:

Is this not desirable?  The longer they keep that good password, the worse it
gets.  Make them choose another good password!


You know, this is taken as an article of faith, but some days I'm not
so sure.  Yes, the longer you use a password, the higher the chance
that it gets compromised - but notice that if you *change* the
password, you have a chance of being compromised immediately.  Most of
the current attacks on passwords (sniffers, crack programs, et al) are
equally effective whether the password is 2 minutes old or 2 years
old.

I'd have to chunk out the statistics to be sure, but I have a feeling
that unless you set <max password lifetime> to be in the same range as
<time to run CRACK>, it doesn't really help matters any.  The only
thing you're REALLY doing is changing the amount of time the hacker
can *USE* the password.

And let's face it - once the hacker HAS the password, he'll probably
install a backdoor that it doesn't MATTER if you expire his password.

This leads to the conclusion that what you *REALLY* want to do is:

1) Make sure you use Kerberos or other network authentication so you
never send it in cleartext...

2) *LET* the damn password be the same for years and years - *AFTER*
you've made sure that it's a Really Really Good password.

3) Remember that if you make them change it once a month, the average
quality will decay.... "Damn, it's that time again...".


--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                Virginia Tech



--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.1

iQCVAwUBMbSC6tQBOOoptg9JAQHJ4wP/Yl8+D7d1BbIiK7RMd/y5K7/EScIZuVBA
KfRiBx2kYqHjApoGhiGLytHiExOa4eOFhRo4A2nuBgJTcPpgasesvclup++pQjAo
3ZryH2/m2qFUBbXHM4BUblThhc6L0Ide8ye3y2iESVFxgJRa7Kv1iH7/kGAe0Icj
VQVKwqdBIUw=
=0Glb
-----END PGP MESSAGE-----

--===_-1_Tue_Jun__4_14:39:40_EDT_1996--

Current thread:

Re: Not so much a bug as a warning of new brute force attack, (continued)
- Re: Not so much a bug as a warning of new brute force attack Aaron Merifield (Jun 03)
  - Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
    - pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
    - Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
    - Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Thayne Forbes (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Steve Chew (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Shaun Lowry (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
    - rexec brute bastard (Jun 04)
    - Selecting Good Passwords mdr () vodka sse att com (Jun 04)
    - brute force *Hobbit* (Jun 04)
    - Re: brute force Christopher Klaus (Jun 04)
    - Re: brute force Tom Fitzgerald (Jun 05)
    - Re: brute force Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
    - help TaeJin Hong (Jun 07)
    - HP-UX B.10.01 vulnerability Aleph One (Jun 07)

(Thread continues...)