[Dshield] Fun with passwords
jullrich at sans.org
Mon Jul 7 13:05:25 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Just a couple of opinions on passwords:
Passwords should not be used for remote authentication. I know... we
all do it... we all *have* to do it in some ways. But for SSH for
example, use keys, not passwords. Website logins are harder to replace.
If you find that its too easy to brute force passwords, think beyond
stronger password policies. Having your users come up with a new
random password once a day will not "solve" the problem. If you spent
a lot of time reconsidering your password policies: Its time to look
at two factor authentication.
Before you start cracking passwords (with permission), think about how
to deal with the results. Once you learn a users password, you need to
lock the users account and force them to pick a new password. If you
don't, then this user could claim that you used his password to
If you can't implement two-factor authentication, suggest that your
users use passphrases. And configure your policy to allow for pass
phrases. (long, but not too picky on character variety)
Keep all passwords encrypted. Always. Even if your website is of "low
value", consider the passwords important as some users may re-use
passwords. You do not want to know your users password.
Lastly: if a website restricts the password length to lets say "15
characters": Chances are the password is not encrypted on the back-
end. If it is encrypted ("hashed"), the password would be always the
same length as it is entered into the database.
SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
More information about the list