[unisog] Password auditing

marchany@vt.edu marchany at vt.edu
Fri Jul 1 19:06:34 GMT 2005

Just to add another spin to this topic.....

IF (Big CAPITAL IF) you do proactive password checking, then I see no need to 
use the "lockout account after X failures". Why? Account lockout policies 
usually serve 1 purpose - to detect brute password attacks. Since you get the 
same info by looking at your syslog/event-logs, why not look there for clues?

Account lockouts pose a greater threat - Denial-of-Service. What if I don't 
care to guess the correct password? I just want to lock out as many accounts 
as possible in the shortest amount of time. When I've taught seminars and we 
get to this topic, I ask "how long does it take to reset the account?" and I 
get a WIDE range of answers. We got DOS'd this way about 6-7 years and the 
sysadmin accounts were the target? Why? To force us to be physically at the 
machine in order to login. The attack was launched in the evening so we 
couldn't log in from home. They used that window to launch the real attacks.

Just .02 here.


More information about the unisog mailing list