Re: Password policy publication

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 28 Oct 2008 11:01:00 CDT, "Shalla, Kevin" said:
> So the systems are not configured to lock an account after a certain
> number of failed password attempts?

An amazing number of sites in fact don't do that, sometimes for a good
reason.  Consider that if you *do* lock accounts, then the attacker can
intentionally blow the password count on all your sysadmin userids - at
which point you can't logon and deal with the attacker.  We actually had
this happen to us - outside office hours, the hacker locked out all our
system guys, and then had a *lot* of fun in the 20-30 minutes it took to
get somebody onsite who could login at the console (which didn't have
a lockout set).

And then there's the even more numerous sites that try to set up account
locking, but fail to do it for *every* place.  Sure, your Windows boxes and
Active Directory may do locking - but did you check *every* web app that
does authentication to make sure it does it as well?  Your webmail server?
Those 5 creeping horror applications that Student Billing runs to let
students look at their bills online?  And so on...

Attachment: _bin
Description: