[Dshield] Fun with passwords

Johannes Ullrich jullrich at sans.org
Mon Jul 7 13:05:25 GMT 2008

Hash: RIPEMD160

Just a couple of opinions on passwords:

Passwords should not be used for remote authentication. I know... we  
all do it... we all *have* to do it in some ways. But for SSH for  
example, use keys, not passwords. Website logins are harder to replace.

If you find that its too easy to brute force passwords, think beyond  
stronger password policies. Having your users come up with a new  
random password once a day will not "solve" the problem. If you spent  
a lot of time reconsidering your password policies: Its time to look  
at two factor authentication.

Before you start cracking passwords (with permission), think about how  
to deal with the results. Once you learn a users password, you need to  
lock the users account and force them to pick a new password. If you  
don't, then this user could claim that you used his password to  
impersonate him/her.

If you can't implement two-factor authentication, suggest that your  
users use passphrases. And configure your policy to allow for pass  
phrases. (long, but not too picky on character variety)

Keep all passwords encrypted. Always. Even if your website is of "low  
value", consider the passwords important as some users may re-use  
passwords. You do not want to know your users password.

Lastly: if a website restricts the password length to lets say "15  
characters": Chances are the password is not encrypted on the back- 
end. If it is encrypted ("hashed"), the password would be always the  
same length as it is entered into the database.

- ---------
SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/  

Version: GnuPG v1.4.7 (Darwin)


More information about the list mailing list