Educause Security Discussion mailing list archives
Re: Password Guessing Re: Passwords & Passphrases
From: Randy Marchany <marchany () VT EDU>
Date: Mon, 19 Nov 2007 16:20:26 -0500
My concern is that without some kind of lock out policy, an account with a 8 character password would be vulnerable to a brute force attack.
I have never favored account lockouts because they introduce a more serious threat - the DOS attack on an account. I don't want to get in your account, I just want to lock it out and keep YOU from getting to your account. Suppose you have an Active Directory, have a lockout time set, and you get hit with a massive password enumeration attack. If you change your account reset times to be shorter than what do you accomplish as far as defense goes? If you have reasonable password strength rules, monitor your login failures, it's pretty straightforward to detect a brute force attack. This is much more effective. Account Lockouts are a classic example of a solution that has outlived its original purpose. The lockout defense was created probably 20-25 years ago when mainframe systems (Unix, VMS, VM) had NO password control mechanisms built into the OS. The only defense then was a lockout. There were a whole rash of add-on tools like Matt Bishop's npasswd (or was it passwd+) that provided an layer of password defense. Finally, OS like AIX v3.x came out with password rules embedded in the account mgt subsystems and now it's pretty common in all OS. I know regulatory agencies still require AL but it's outdated and serves no purpose IF the site does the precautionary things I mentioned above. The above is, of course, IMHO. -Randy Marchany VA Tech IT Security Office & Lab
Current thread:
- Password Guessing Re: Passwords & Passphrases Gary Flynn (Nov 19)
- <Possible follow-ups>
- Re: Password Guessing Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Password Guessing Re: Passwords & Passphrases Randy Marchany (Nov 19)