[unisog] Password policies
marchany at candi2.cirt.vt.edu
Fri Apr 21 21:22:17 GMT 2006
It's Friday and I've been reading a bunch of emails related to this thread. I
was wondering about a couple of things.
1. Account lockouts are an anachonism. They were there in the old days when
sysadmins had no way to detect password enumeration attacks or the sysadmin
was just plain lazy and didn't monitor the logs. I believe a DOS attack on
accounts is more severe than a password enumeration attack.
a. good password strength policies reduce the possibility of a
successful enumeration attack. Even the dreaded password aging
feature can help here.
b. The automated attacks we see here could lock out thousands of
accounts in a short period of time and do so repeatedly.
c. Every login failure generates a record of some sort and if you
have a syslog or eventlog scanner that monitors the logs for
such failures and notifies you, then you know you're under attack
and can adjust your defenses.
d. If a site uses account lockouts, they have to adjust the numbers
to avoid a DOS attack from impacting their operations. This seems
to defeat the purpose of the lockout.
e. Does setting the lockout period to a short period of time actually
prevent anything? Is it smoke and mirrors?
2. The arguments about changing passwords frequently seem to address a
perceived threat of a password compromise by interception (keystroke recorder,
phish, sniffer, etc.) or by post-it note. 2-factor authentication seemingly
eliminates the need for aging but does it eliminate the DOS threat by account
More information about the unisog