Re: Password policy publication

[Steven Alexander <alexander.s () MCCD EDU>]

Kevin,

A brute-force attack may or may not require access to the password file.

An attacker could try an online brute-force attack by repeatedly trying to login over the network.  There are tools, 
such as THC Hydra, that allow an attacker to attempt this against a number of different protocols/authentication 
methods.  Obviously, this is not as fast as an offline attack and may trigger account lockout, IDS alerts, and result 
in log entries, but if the passwords are weak it can work.

An offline attack is much more effective, but it does require that  the attacker already has access to the password 
file (or another repository).  This doesn't mean that it isn't important.

Occasionally there are vulnerabilities in web applications or other software that allow an attacker to snag a copy of 
the password file using only anonymous web access.  Even when that is not the case, the password file is a coveted item 
to an attacker.  We have to assume that our systems will be breached from time to time even if we take care to secure 
them.  We may misconfigure something, or an attacker may be using a 0-day exploit (when no patch is available).

Unless an attacker has a narrow goal such as defacing a website, he will usually want to take steps to maintain his 
access to a system and to leverage his access on one system to gain entry to the rest of the network.  This is what 
makes the password file so valuable to him.  He may be able to get in using a remote 0-day exploit today, but that hole 
may be patched in a week or two.  If he can crack some legitimate accounts he can get back in without the exploit.

Cracking passwords is a good way to gain access to additional systems on a network because the passwords used on one 
machine often work on others as well.  The attacker will crack as many passwords as he can so that he can try those 
credentials on other systems.  It is easiest if the usernames are the same, but he may take the time to match up 
accounts with different names; i.e. Bob Jones might be bjones on one system and jones.b or bob.jones on another.  An 
attacker may also use the passwords that he is able to crack to gain access to personal accounts or accounts on another 
network.  If he cracks Bob Jones' password and also notices that Bob sends himself email from bjones65 at hotmail.com, 
he may take a stab at that account too.

We can't view security as being only about keeping people out; it's also about detection and containment.  This is why 
the concept of defense-in-depth is so important.

Cheers,

Steven Alexander Jr.
Online Education Systems Manager
Merced College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, 
Kevin
Sent: Tuesday, October 28, 2008 7:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy publication

Doesn't this require stealing the password file, so that you can run the
brute-force attack?  Or are we protecting from sysadmins who already have
access to the password file?

<snip>