Security Basics mailing list archives
more on strong passwords - a reply
From: "kenkousky" <kkousky () ip3inc com>
Date: Fri, 8 Aug 2003 12:23:17 -0400
To clarify some points: I'm really simply advocating multi-factor authentication rather than causing more damage than good through the misuse of passwords. Passwords are suppose to be something you know. Many IT shops have changed this making passwords so strong, they have to be written down to be remember and so they become something you "have", not something you "know". A false rejection occurs whenever we deny legitimate users access to their resources. This is also the same as a denial of service. Our legitimate users are denied access to their legitimate resources because of the security we've put in place to protect them. If we're truly worried about CIA - confidentiality, integrity and availability, then we're giving up system availability in our attempts to protect the C and I. This is extremely costly to most organizations and we usually fail to enhance the security in terms of C and I because of the difficulty in managing 20+ passwords, which survey data confirms is the reality for knowledge workers. The denial of service is the password system doing just what it's suppose to do but our implementation of it causing the problem. The goal of authentication is strong confirmation of who's at the end of a digital stream - we do this by testing for something they have, something they know or through biometrics. When we make passwords strong, for the large majority of the world, they become something you "have" and NOT something you know. You have to write them down to keep them but if it's something you have, there are far better technologies. Look at smart cards, cd cards, token generators, etc. I've worked with a F-1000 company that employs seven full time staffers to do nothing but password resets. This is an easy point of exploit for social engineering and is also a REAL and substantial cost. If we make this kind of mess out of passwords, how are we ever going to handle PKI? I'm a strong advocate for strong authentication but fortifying a system through overbuilt passwords is a vulnerability, not a defense. It's like shooting at mosquitoes with an Uzi. Far too much collateral damage. A better approach is multi-factor authentication. KWK -----Original Message----- From: Adam Newhard [mailto:atnewhard () microstrain com] Sent: Friday, August 08, 2003 9:42 AM To: security-basics () securityfocus com Subject: Re: UNIX password auditing tool and the search for dictionaries too In terms of this comment to whoever posted it (sorry, I don't remember who it was):
Strong passwords are the number one source of denial of service in
most
environments due to the frequent false reject problem that occurs
when
users can't keep up with frequent changes and strong password.
They're
also one of the highest costs for security since it's the number one task for help desks and sys admins to support.
How is it a high cost for security??? I've always found having someone come down and asking for their id and some other mode of face to face identification makes it pretty easy to reset someone's password. If you simply take advantage of all that garbage they pull on a lot of websites, like your security question is what's your mother's maiden name, you can get around them showing you a fake id...yeah, there are ways of finding out someone's info, but nothing is secure. It's the foundation of your plan that guides your performance. In terms of your dos attack, i might be misreading your question, but strong passwords being dos'd or brute forced (if you consider a really fast brute force attack a dos; i don't, but some do), a lot of places will put a piece of crap machine as their password authentication for their network. yeah, you may have a lot of people logging on and may get periodically bogged down, but you need to find the right machine that'll cause the correct amount of lag. say for a "normal" company (my idea, not necessarily yours) you have 200 people. probably, on average they log on maybe 2-3 times/day...some only once, some maybe 10 times, and those on vacation never...so give them 3 times/day. if you have a fast machine doing password checks and it takes only a second for the logon sequence (password verification), it'll be about 600 seconds or 10 min (200 people x 3 logons/day x 1 sec)...theoretically, of course. if i want to brute force the machine i can do 60/sec. take a crap machine, stable mind you just a slower processor, that takes 10 seconds to verify a password and you've dropped to 6 attempts/sec. Yeah, you do go from 10 min/day of verification to 50 min (if my math is correct) so that's something you need to consider when you think about if it's worth it or not...after finding a reasonable value, it is to me. You could consider it an easier target for dos b/c it's much slower, but then again, you also have to take into consideration this...if you're gonna try to get in using someone's password, why would you attack a crap machine that's exceptionally slow...i'd just stand behind them while they type in their password. i might've missed part of your statement, so if i did...i apologize. after reading your statement, one more thing...if strong password authentication causes a lot of dos b/c people are trying to logon constantly w/the wrong password b/c of password changes, why are you even letting them attempt to logon so many times? if a person mistypes their password 3-5 times, the account should either be deactivated until that person comes and gets you or for a certain number of minutes. print a nice pretty message to the user that this has happened and send yourself a note also so you can go find them if need be. there are holes to that one just like anything (i.e. your boss doesn't like it), but like i said before, nothing's really perfect. if dos'ing occurs b/c people keep entering the wrong password, that's more your fault than theirs. out of curiosity, where did you find it saying that dos is the number one problem w/strong passwords??? adam ---------------------------------------------------- Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians ----- Original Message ----- From: "Michael Martinez" <mmartinez () tamsco com> To: <security-basics () securityfocus com> Sent: Thursday, August 07, 2003 4:48 PM Subject: RE: UNIX password auditing tool and the search for dictionaries too
Before you go too far with strong passwords, remember, they do moreharmthan good in most cases. You trust your money to a four digit pin so think about strong authentication, not strong passwords. Two factor
can
be done with a variety of inexpensive technologies.Are you kidding me, you are under the impression that a 4 digit pin is secure? I for one have no illusions about how insecure a 4 digit pin actually is! Whatever security is provided by said 4 digit pin is
more
related to that fact that there are not freely available pin cracking tools for ATM machines...as there are password cracking tools.Strong passwords are the number one source of denial of service in
most
environments due to the frequent false reject problem that occurs
when
users can't keep up with frequent changes and strong password.
They're
also one of the highest costs for security since it's the number one task for help desks and sys admins to support.As a help desk supervisor, I assure you that the related cost of time and money supporting the reset of passwords is minimal and therefore a small price to pay for increased security. ...In terms of dictionaries, I think the aggressive approach would
include
concatenations and number and special character injections into the words. In more secure environments, were users are battered withmonthlypassword changes they usually inject the numeric value for the month somewhere in a common word. But the point is, it's not too difficult
to
build a really big database of words with special character and
numeric
injections, run them through the hash algorithm and have a table to check for matches.If someone were in an environment where they must change their
password
monthly...they are probably using the wrong technology. Perhaps a combination of different layers would be a better solution to monthly changes. ... -----Original Message----- From: Shane Lahey [mailto:s.lahey () roadrunner nf net] Sent: Monday, August 04, 2003 7:38 PM To: james.easterling () ed gov; security-basics () securityfocus com Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/-----Original Message----- From: james.easterling () ed gov [mailto:james.easterling () ed gov] Sent: Monday, August 04, 2003 4:39 PM To: security-basics () securityfocus com Subject: UNIX password auditing tool I have tried searches for UNIX password cracking tools and I have
come
upwith little value. Can someone direct me to passwd auditing tools besides "John The Ripper" that are free or cost? Regards, James
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------ -- -
------------------------------------------------------------------------ -- --
------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: UNIX password auditing tool and the search for dictionaries too kenkousky (Aug 07)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- more on strong passwords - a reply kenkousky (Aug 08)
- RE: UNIX password auditing tool and the search for dictionaries too Nick Owen (Aug 13)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- <Possible follow-ups>
- RE: UNIX password auditing tool and the search for dictionaries too Tomas Wolf (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Tim Heagarty (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Mike Dresser (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)