[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?
Stephen John Smoogen
smooge at unm.edu
Wed May 9 16:38:45 GMT 2007
Reg Quinton wrote:
>>>> We recently enabled a system to block the ssh brute force crack. Within
>>>> hours we had legit users blocked. I thought we had set up very generous
>>>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on
>>>> non-existent account. Who'd have thunk that that many users don't even
>>>> their login name ? It's a waste on systems open to users.
>> All lockout methods become a dos. If you just enforce pacing of ssh
>> sessions, you win.
> We authenticate against an active directory where the policy is 15 failed
> logins followed by a 5 min lock out. This works well enough -- locking a
> person out forever would be a DOS, locking them out for 5 minutes is not.
At my previous employment (government laborator), our policy was
dependant on where the system was:
Low security [public ssh server] 3 failures for a 15 minute logout
Med security [internal systems] 3 failures/15min, report generated
Hig security [accounting/etc] 3 failures/lockout, report generated.
The reports were sent to management who had to present statistics for
review and were audited against it. Once we finally got this into
place.. people all of a sudden remembered their passwords a lot better.
However, the best system we found was using a 2 factor system. Due to
the fact we had so many different systems, etc it was easier to use a
Cryptocard solution versus physical fobs. [Our technicians who were in a
unit that had mandated physical fobs were carrying around 12-14 fobs..
which caused problems]
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
Phone: (505) 277-7343 Email: smooge at unm.edu
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog