Educause Security Discussion mailing list archives
Re: Password policy publication
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 28 Oct 2008 10:26:24 -0700
Kevin, A brute-force attack may or may not require access to the password file. An attacker could try an online brute-force attack by repeatedly trying to login over the network. There are tools, such as THC Hydra, that allow an attacker to attempt this against a number of different protocols/authentication methods. Obviously, this is not as fast as an offline attack and may trigger account lockout, IDS alerts, and result in log entries, but if the passwords are weak it can work. An offline attack is much more effective, but it does require that the attacker already has access to the password file (or another repository). This doesn't mean that it isn't important. Occasionally there are vulnerabilities in web applications or other software that allow an attacker to snag a copy of the password file using only anonymous web access. Even when that is not the case, the password file is a coveted item to an attacker. We have to assume that our systems will be breached from time to time even if we take care to secure them. We may misconfigure something, or an attacker may be using a 0-day exploit (when no patch is available). Unless an attacker has a narrow goal such as defacing a website, he will usually want to take steps to maintain his access to a system and to leverage his access on one system to gain entry to the rest of the network. This is what makes the password file so valuable to him. He may be able to get in using a remote 0-day exploit today, but that hole may be patched in a week or two. If he can crack some legitimate accounts he can get back in without the exploit. Cracking passwords is a good way to gain access to additional systems on a network because the passwords used on one machine often work on others as well. The attacker will crack as many passwords as he can so that he can try those credentials on other systems. It is easiest if the usernames are the same, but he may take the time to match up accounts with different names; i.e. Bob Jones might be bjones on one system and jones.b or bob.jones on another. An attacker may also use the passwords that he is able to crack to gain access to personal accounts or accounts on another network. If he cracks Bob Jones' password and also notices that Bob sends himself email from bjones65 at hotmail.com, he may take a stab at that account too. We can't view security as being only about keeping people out; it's also about detection and containment. This is why the concept of defense-in-depth is so important. Cheers, Steven Alexander Jr. Online Education Systems Manager Merced College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Tuesday, October 28, 2008 7:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy publication Doesn't this require stealing the password file, so that you can run the brute-force attack? Or are we protecting from sysadmins who already have access to the password file? <snip>
Current thread:
- Password policy publication Geoff Nathan (Oct 25)
- <Possible follow-ups>
- Re: Password policy publication Roger Safian (Oct 27)
- Re: Password policy publication Allison Dolan (Oct 27)
- Re: Password policy publication Valdis Kletnieks (Oct 27)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Adam Nave (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Valdis Kletnieks (Oct 28)
- Re: Password policy publication Steven Alexander (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Matthew Gracie (Oct 29)