Re: Password Guessing Re: Passwords & Passphrases

[Randy Marchany <marchany () VT EDU>]

> My concern is that without some kind of lock out policy, an account with
> a 8 character password would be vulnerable to a brute force attack.

I have never favored account lockouts because they introduce a more serious
threat - the DOS attack on an account. I don't want to get in your account, I
just want to lock it out and keep YOU from getting to your account. Suppose
you have an Active Directory, have a lockout time set, and you get hit with a
massive password enumeration attack. If you change your account reset times to
be shorter than what do you accomplish as far as defense goes?

If you have reasonable password strength rules, monitor your login failures,
it's pretty straightforward to detect a brute force attack. This is much more
effective.

Account Lockouts are a classic example of a solution that has outlived its
original purpose. The lockout defense was created probably 20-25 years ago
when mainframe systems (Unix, VMS, VM) had NO password control mechanisms
built into the OS. The only defense then was a lockout. There were a whole
rash of add-on tools like Matt Bishop's npasswd (or was it passwd+) that
provided an layer of password defense.

Finally, OS like AIX v3.x came out with password rules embedded in the account
mgt subsystems and now it's pretty common in all OS.

I know regulatory agencies still require AL but it's outdated and serves no
purpose IF the site does the precautionary things I mentioned above.

The above is, of course, IMHO.

        -Randy Marchany
        VA Tech IT Security Office & Lab