[unisog] Password auditing
marchany at vt.edu
Fri Jul 1 19:06:34 GMT 2005
Just to add another spin to this topic.....
IF (Big CAPITAL IF) you do proactive password checking, then I see no need to
use the "lockout account after X failures". Why? Account lockout policies
usually serve 1 purpose - to detect brute password attacks. Since you get the
same info by looking at your syslog/event-logs, why not look there for clues?
Account lockouts pose a greater threat - Denial-of-Service. What if I don't
care to guess the correct password? I just want to lock out as many accounts
as possible in the shortest amount of time. When I've taught seminars and we
get to this topic, I ask "how long does it take to reset the account?" and I
get a WIDE range of answers. We got DOS'd this way about 6-7 years and the
sysadmin accounts were the target? Why? To force us to be physically at the
machine in order to login. The attack was launched in the evening so we
couldn't log in from home. They used that window to launch the real attacks.
Just .02 here.
More information about the unisog