Educause Security Discussion mailing list archives
Re: Password policy publication
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 28 Oct 2008 12:14:04 -0400
On Tue, 28 Oct 2008 11:01:00 CDT, "Shalla, Kevin" said:
So the systems are not configured to lock an account after a certain number of failed password attempts?
An amazing number of sites in fact don't do that, sometimes for a good reason. Consider that if you *do* lock accounts, then the attacker can intentionally blow the password count on all your sysadmin userids - at which point you can't logon and deal with the attacker. We actually had this happen to us - outside office hours, the hacker locked out all our system guys, and then had a *lot* of fun in the 20-30 minutes it took to get somebody onsite who could login at the console (which didn't have a lockout set). And then there's the even more numerous sites that try to set up account locking, but fail to do it for *every* place. Sure, your Windows boxes and Active Directory may do locking - but did you check *every* web app that does authentication to make sure it does it as well? Your webmail server? Those 5 creeping horror applications that Student Billing runs to let students look at their bills online? And so on...
Attachment:
_bin
Description:
Current thread:
- Password policy publication Geoff Nathan (Oct 25)
- <Possible follow-ups>
- Re: Password policy publication Roger Safian (Oct 27)
- Re: Password policy publication Allison Dolan (Oct 27)
- Re: Password policy publication Valdis Kletnieks (Oct 27)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Adam Nave (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Valdis Kletnieks (Oct 28)
- Re: Password policy publication Steven Alexander (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Matthew Gracie (Oct 29)