Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: jack suess <jack () UMBC EDU>
Date: Wed, 12 Jul 2006 19:17:44 -0400
I'd like to suggest people take a look at the eauthentication assessment suite developed by NIST for the federal government. This was designed for validating different levels of assurance between federal agencies. One thing that the credential assessment suite provides is a spreadsheet that allows you to examine different password policies and their resulting strength. We used this to discuss with our auditors how we were selecting our password policy and showed that different tradeoffs produce equivalent password practices. NIST did a very good job on the password spreadsheet. When you work with the assessment matrix you can show that some standard audit practices don't help very much. We used this to show that changing passwords more frequently is not necessarily better than requiring stronger passwords at the beginning. Inside this you can play with account lockout rules and determine the benefit that comes from different approaches. For more on eauthentication, www.cio.gov/eauthentication For the credential assessment suite http://www.cio.gov/ eauthentication/CredSuite.htm jack suess On Jul 12, 2006, at 5:50 PM, Russell Fulton wrote:
Valdis Kletnieks wrote:On Tue, 11 Jul 2006 16:07:30 EDT, Randy Marchany said:We use 3 attempts before lockout, but the duration is short. The point is to stop automated attempts and random guessing so I don't see much point in locking "forever".Time to become the pinata :-).If anybody cares, one of the earliest cites on login attempts is probably the DoD 'Rainbow Series' manual on password management (April 1985). It's important to note that at least in this manual, the *goal* (limit the upper bound of guesses) is clearly understood - I'm not convinced that most auditors have as good a grasp on the *why* as the Rainbow Series guys did.[ Lots of good stuff snipped ] This is where monitoring of logs suddenly becomes vitally important. If you review your authenication records regularly for failed logins (you do don't you ?) then you only have to slow down the log in attempts so it is unlikely that an attacker can brute force an account before it (the attack) is noticed. Of course all your passwords should conform to standards ;) but seeing a persistent brute force attack against an account is a good reason to make quite sure that the account is 'safe'. This is why authentications services without logging mechanism are a total disaster (MS are you listening, remember RDP?) Russell
Current thread:
- Re: Account Lockout Policies, (continued)
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
- Re: Account Lockout Policies Jonny Sweeny (Jul 14)
- Re: Account Lockout Policies Graham Toal (Jul 14)