Security Basics mailing list archives
RE: Minimum password requirements
From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Wed, 28 Jul 2004 05:52:57 +0000
Hi there Ed,You are right about the brute forcing. However, some systems (e.g. several widely used webmail services) lock out after x attempts and lock you out via IP - this is easily exploitable to a semi knowledgable attacker. All they need to do (and I have seen programs that actually do this), is access the site post ban through an anonymous proxy server, and whala three more tries. With the internet as big as it is today and proxy lists rampant over the net, it isn't hard to get 3000+ attempts on a machine a night. I guess the simple question is "is the login service accessable locally or globally (over the network OR the entire internet)" - because if it's over the net, locking out may not be as powerful as it could have been if the service were restricted to the local network.
Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
From: "Ed Spencer" <espencer () usa net> Reply-To: <espencer () usa net> To: <dmargoli () stwing org>, <security-basics () securityfocus com> Subject: RE: Minimum password requirements Date: Fri, 23 Jul 2004 15:42:45 -0800 MIME-Version: 1.0Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc1-f42.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 27 Jul 2004 05:41:29 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 35B9D23A1BB; Mon, 26 Jul 2004 10:26:08 -0600 (MDT)Received: (qmail 25484 invoked from network); 23 Jul 2004 17:13:58 -0000 X-Message-Info: JGTYoYF78jHaky4JdiF6ZK9xyMDC8V0L Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com X-USANET-Auth: 209.165.167.166 AUTH espencer () usa net dphit47 Message-ID: <000001c4710e$c3cbf120$c352c3a1@dphit47> X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <410009FE.2040506 () stwing org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409Return-Path: security-basics-return-29421-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 27 Jul 2004 12:41:29.0904 (UTC) FILETIME=[0A2C1300:01C473D7]It's apparent that everyone agrees with using strong passwords (I left it out of my original reply, but I was only addressing the items mentioned) and that if there are means to enforce it they be used (if policy warrants their use) ie. Passflt.dll. It's apparent that the main discussion is primarily on the need for password aging and some have even offered possible brute force calculations for reasons NOT to age passwords. Here are a couple things to consider: 1. If you're brute forcing a password it should be OOB (out of band). In other words, you're not guessing against the system. This is the reason most systems lock you out for a period of time (or until a reset of some kind - usually by an administrator) when you fail your password 3 times (give or take). Most systems also have a system of progressively longer and longer wait times between passwords when they are guessed incorrectly making in-band brute forcing/guessing of passwords inconvenient and overly time consuming. 2. If you're attempting to brute a password OOB you're making much more than 1 attempt per second. Even with a couple cheap pc's ($300 or less) you can split the hash and pick up most passwords within a couple days - a week or two at the outside (depending on password strength and if you use a good dictionary or simply guess all possibilities). Admittedly there are occasions where it may take longer, but these are usually the exception and not the rule. I've seen DoD documents that discuss password aging and they use guessing against the system as means to determine password age. While this may be practical for some systems, brute force against the system isn't the only means used to break passwords on systems. 3. If you don't age passwords you don't have to change them. Passwords should be changed on a semi-regular basis because they are compromised. Keep in mind that brute force isn't the only way to compromise a password, shoulder surfing and other methods cause passwords to become compromised. Are there any real world examples on why to age passwords? In my opinion, it only takes one practical example with a high likelihood of occurrence to make it necessary. As I said in number 3 above - brute force isn't the only way a password becomes compromised. Shoulder surfing, putting the password in scripts (not recommended but I've seen it) and other means happen far too often and the end user may not be aware that the password has been compromised. Forcing password aging means that if someone is 'borrowing' the credentials that they have to find the 'new' password when it ages and is forced to change. If you want more information on password use I recommend the following documents: Agency Document Number Date Title DoD CSC-STD-002-85 Apr-85 Password Management Guideline - Green Book NIST FIPS 112 May-85 Password Usage (Part 1) NIST FIPS 112 May-85 Password Usage (Part 2) NIST FIPS 181 Oct-93 Automated Password Generator NIST SP 800-12 Oct-95 An Introduction To Computer Security: The NIST Handbook Password aging is a tool like any other. This is why I recommend 90 days for password aging of standard user accounts, 30,45, or 60 days on admin or privileged accounts (depending on frequency of use). I use the shorter times on privileged accounts because these users are more technically savvy and are less likely to write down passwords. If you give end users examples of easy ways to make strong passwords they don't have to write them down on post-it notes. It's even possible to make Pa$$w0rD a strong password if you pick the proper changes. Educating the end user in not just the policy (do it, it's policy) but how to abide to the spirit of the policy is often part of the job. Implementing technology is easy - working through the quagmire of politics and other human elements is usually the most difficult part of the job. Just another log on the fire in this heated discussion... Ed Spencer MCSE/MCT/CNA/A+/Network+/Security+ Network Administrator Aramark Corporation - Denali National Park. -----Original Message----- From: dmargoli () stwing org [mailto:dmargoli () stwing org] Sent: Thursday, July 22, 2004 10:40 AM To: security-basics () securityfocus com Subject: Re: Minimum password requirements Steve wrote: > We can discuss/argue all day long, but if you don't age passwords then you > will fail almost any IT portion of an audit from an independent auditing > organization. Fair enough, but that doesn't really explain *why* it makes sense (or even if it does). If your business requires certification by an auditor who requires that measure, fine. Perfectly understandable. But that doesn't mean there's a good reason for such a practice (and I contend that there is not). > Real world example, a few departed employees had not been disabled in our > domain, their accounts were automatically disabled. The auditors had no > issues with that. I never argued against disabling inactive accounts. I think that's a very good idea and support it completely. I argued against password ageing. ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
_________________________________________________________________Looking to buy a house? Get informed with the Home Buying Guide from MSN House & Home. http://coldwellbanker.msn.com/
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Re: Minimum password requirements, (continued)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)