Educause Security Discussion mailing list archives
Re: Please do not change your password
From: "Koerber, Jeff" <jkoerber () TOWSON EDU>
Date: Fri, 16 Apr 2010 11:34:21 -0400
I agree. If I can get a list of usernames and know the name of the organization and the password strength policy, I could come up with a few likely passwords and try them against every account. Chances are that I will come across at least one account with that password. The accounts will never get locked out. If you have a policy where users have to change their password every xx days, then it reduces the amount of time that these obvious passwords are in use. Jeff Koerber Supervisor, Student Computing Services Lab and Service Desk Office of Technology Services Towson University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Werby Sent: Thursday, April 15, 2010 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password On 4/14/2010 10:47 AM, Valdis Kletnieks wrote: On Wed, 14 Apr 2010 09:39:06 EDT, "Jones, Dan" said: Strong passwords deter brute-forcing attacks (as does the practice of locking an account after X number of failed login attempts). Yes, but once the password reaches a not-too-large size, account locking is quite sufficient to make brute-forcing impractical. For a vertical attack, perhaps. But if your usernames are the left-hand side of your email addresses and the attacker can scrape email addresses from the web or enumerate your address book, then perform a horizontal or diagonal attack, brute force attacks are *very* practical. GoHok1es or Bl@cksburg? And I suspect most universities don't have controls to detect or mitigate such attacks. My guess is that more guessed university passwords involve attacks in which the attacker isn't too particular about which accounts he acquires passwords to. I consider the biggest password related failure of the information security community to be that we demand that users memorize their passwords (or alternately "don't write them down"). Sure, we don't want them to attach them to their monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their wallet inside their pocket and written down in a way that doesn't clearly reveal them? Or storing them in an encrypted password vault? We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk. Long + unique + write them down securely Aging? I agree there's value in limiting the length of time that an attacker has undetected access. But in terms of mitigating a brute force attack, the math just doesn't support extremely frequent aging. -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)