[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Stephen John Smoogen smooge at unm.edu
Wed May 9 16:38:45 GMT 2007


Reg Quinton wrote:
>>>> We recently enabled a system to block the ssh brute force crack. Within 
>>>> 48
>>>> hours we had legit users blocked. I thought we had set up very generous
>>>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on 
>>>> a
>>>> non-existent account. Who'd have thunk that that many users don't even 
>>>> know
>>>> their login name ? It's a waste on systems open to users.
>> All lockout methods become a dos. If you just enforce pacing of ssh
>> sessions, you win.
> 
> We authenticate against an active directory where the policy is 15 failed 
> logins followed by a 5 min lock out. This works well enough -- locking a 
> person out forever would be a DOS, locking them out for 5 minutes is not.
> 

At my previous employment (government laborator), our policy was
dependant on where the system was:

Low security [public ssh server] 3 failures for a 15 minute logout
Med security [internal systems]  3 failures/15min, report generated
Hig security [accounting/etc]    3 failures/lockout, report generated.

The reports were sent to management who had to present statistics for
review and were audited against it. Once we finally got this into
place.. people all of a sudden remembered their passwords a lot better.

However, the best system we found was using a 2 factor system. Due to
the fact we had so many different systems, etc it was easier to use a
Cryptocard solution versus physical fobs. [Our technicians who were in a
unit that had mandated physical fobs were carrying around 12-14 fobs..
which caused problems]

-- 
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"


More information about the unisog mailing list