[unisog] Password policies

Randy Marchany marchany at candi2.cirt.vt.edu
Fri Apr 21 21:22:17 GMT 2006

It's Friday and I've been reading a bunch of emails related to this thread. I 
was wondering about a couple of things.

1. Account lockouts are an anachonism. They were there in the old days when 
sysadmins had no way to detect password enumeration attacks or the sysadmin 
was just plain lazy and didn't monitor the logs. I believe a DOS attack on 
accounts is more severe than a password enumeration attack.

	a. good password strength policies reduce the possibility of a 
	   successful enumeration attack. Even the dreaded password aging
	   feature can help here.
	b. The automated attacks we see here could lock out thousands of
	   accounts in a short period of time and do so repeatedly.
	c. Every login failure generates a record of some sort and if you
	   have a syslog or eventlog scanner that monitors the logs for
	   such failures and notifies you, then you know you're under attack
	   and can adjust your defenses.
	d. If a site uses account lockouts, they have to adjust the numbers
	   to avoid a DOS attack from impacting their operations. This seems
	   to defeat the purpose of the lockout.
	e. Does setting the lockout period to a short period of time actually
	   prevent anything? Is it smoke and mirrors?

2. The arguments about changing passwords frequently seem to address a 
perceived threat of a password compromise by interception (keystroke recorder, 
phish, sniffer, etc.) or by post-it note. 2-factor authentication seemingly 
eliminates the need for aging but does it eliminate the DOS threat by account 

Just wondering.


More information about the unisog mailing list