Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Minimum password requirements

From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Wed, 28 Jul 2004 05:52:57 +0000
Hi there Ed,
You are right about the brute forcing. However, some systems (e.g. several widely used webmail services) lock out after x attempts and lock you out via IP - this is easily exploitable to a semi knowledgable attacker. All they need to do (and I have seen programs that actually do this), is access the site post ban through an anonymous proxy server, and whala three more tries. With the internet as big as it is today and proxy lists rampant over the net, it isn't hard to get 3000+ attempts on a machine a night. I guess the simple question is "is the login service accessable locally or globally (over the network OR the entire internet)" - because if it's over the net, locking out may not be as powerful as it could have been if the service were restricted to the local network. 

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com






From: "Ed Spencer" <espencer () usa net>
Reply-To: <espencer () usa net>
To: <dmargoli () stwing org>, <security-basics () securityfocus com>
Subject: RE: Minimum password requirements
Date: Fri, 23 Jul 2004 15:42:45 -0800
MIME-Version: 1.0
Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc1-f42.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 27 Jul 2004 05:41:29 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 35B9D23A1BB; Mon, 26 Jul 2004 10:26:08 -0600 (MDT) 
Received: (qmail 25484 invoked from network); 23 Jul 2004 17:13:58 -0000
X-Message-Info: JGTYoYF78jHaky4JdiF6ZK9xyMDC8V0L
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
X-USANET-Auth: 209.165.167.166 AUTH espencer () usa net dphit47
Message-ID: <000001c4710e$c3cbf120$c352c3a1@dphit47>
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
In-Reply-To: <410009FE.2040506 () stwing org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Return-Path: security-basics-return-29421-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 27 Jul 2004 12:41:29.0904 (UTC) FILETIME=[0A2C1300:01C473D7] 

It's apparent that everyone agrees with using strong passwords (I left
it out of my original reply, but I was only addressing the items
mentioned) and that if there are means to enforce it they be used (if
policy warrants their use) ie. Passflt.dll. It's apparent that the main
discussion is primarily on the need for password aging and some have
even offered possible brute force calculations for reasons NOT to age
passwords.

Here are a couple things to consider:
1. If you're brute forcing a password it should be OOB (out of band).
In other words, you're not guessing against the system.  This is the
reason most systems lock you out for a period of time (or until a reset
of some kind - usually by an administrator) when you fail your password
3 times (give or take).  Most systems also have a system of
progressively longer and longer wait times between passwords when they
are guessed incorrectly making in-band brute forcing/guessing of
passwords inconvenient and overly time consuming.

2. If you're attempting to brute a password OOB you're making much more
than 1 attempt per second.  Even with a couple cheap pc's ($300 or less)
you can split the hash and pick up most passwords within a couple days -
a week or two at the outside (depending on password strength and if you
use a good dictionary or simply guess all possibilities).  Admittedly
there are occasions where it may take longer, but these are usually the
exception and not the rule.  I've seen DoD documents that discuss
password aging and they use guessing against the system as means to
determine password age.  While this may be practical for some systems,
brute force against the system isn't the only means used to break
passwords on systems.

3. If you don't age passwords you don't have to change them.  Passwords
should be changed on a semi-regular basis because they are compromised.
Keep in mind that brute force isn't the only way to compromise a
password, shoulder surfing and other methods cause passwords to become
compromised.

Are there any real world examples on why to age passwords?  In my
opinion, it only takes one practical example with a high likelihood of
occurrence to make it necessary.  As I said in number 3 above - brute
force isn't the only way a password becomes compromised.  Shoulder
surfing, putting the password in scripts (not recommended but I've seen
it) and other means happen far too often and the end user may not be
aware that the password has been compromised.  Forcing password aging
means that if someone is 'borrowing' the credentials that they have to
find the 'new' password when it ages and is forced to change.

If you want more information on password use I recommend the following
documents:
Agency  Document Number Date    Title
DoD     CSC-STD-002-85  Apr-85  Password Management Guideline - Green
Book
NIST            FIPS 112        May-85  Password Usage (Part 1)
NIST            FIPS 112        May-85  Password Usage (Part 2)
NIST            FIPS 181        Oct-93  Automated Password Generator
NIST            SP 800-12       Oct-95  An Introduction To Computer
Security: The NIST Handbook

Password aging is a tool like any other.  This is why I recommend 90
days for password aging of standard user accounts, 30,45, or 60 days on
admin or privileged accounts (depending on frequency of use).  I use the
shorter times on privileged accounts because these users are more
technically savvy and are less likely to write down passwords.   If you
give end users examples of easy ways to make strong passwords they don't
have to write them down on post-it notes.  It's even possible to make
Pa$$w0rD a strong password if you pick the proper changes.  Educating
the end user in not just the policy (do it, it's policy) but how to
abide to the spirit of the policy is often part of the job.
Implementing technology is easy - working through the quagmire of
politics and other human elements is usually the most difficult part of
the job.

Just another log on the fire in this heated discussion...

Ed Spencer
MCSE/MCT/CNA/A+/Network+/Security+
Network Administrator
Aramark Corporation - Denali National Park.
-----Original Message-----
From: dmargoli () stwing org [mailto:dmargoli () stwing org]
Sent: Thursday, July 22, 2004 10:40 AM
To: security-basics () securityfocus com
Subject: Re: Minimum password requirements

Steve wrote:

> We can discuss/argue all day long, but if you don't age passwords then
you
> will fail almost any IT portion of an audit from an independent
auditing
> organization.

Fair enough, but that doesn't really explain *why* it makes sense (or
even if it does). If your business requires certification by an auditor
who requires that measure, fine. Perfectly understandable. But that
doesn't mean there's a good reason for such a practice (and I contend
that there is not).

> Real world example, a few departed employees had not been disabled in
our
> domain, their accounts were automatically disabled.  The auditors had
no
> issues with that.

I never argued against disabling inactive accounts. I think that's a
very good idea and support it completely. I argued against password
ageing.

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.

Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



_________________________________________________________________
Looking to buy a house? Get informed with the Home Buying Guide from MSN House & Home. http://coldwellbanker.msn.com/ 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: