Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: randy marchany <marchany () VT EDU>
Date: Fri, 16 Oct 2009 20:15:29 -0400
It's been an interesting thread so far :-). One of the advantages of being an old geek is that you realize that some of today's traditional defenses were designed to combat 20-25 year old threats. I mentioned in my blog a while ago that account lockouts were the ONLY defense against brute force password attacks 25 years ago because Unix/VMS and other OS at the time had NO password strength mechanisms. That's obviously changed now but we still use account lockouts which IMHO cause account lockout attacks to impact an org. Spaf's blog says basically the same thing. Ironically, it was probably Spaf's Practical Unix Security book that help propagate this practice. Someone read it in the 90's, wrote it in a 2000 checklist, someone reads that checklist and puts it in a 2003 checklist, etc. So, we need to constantly check and verify our passwords in order to avoid complacency with regard to password strength rules. Since the 2007 shootings, our office has had a lot of experience running password guessing tools like Ophcrack (my favorite especially with the rainbow tables feature) to break into machines. We've been cracking upper/lower case passwords (no #'s or special chars) up to 16 characters in less than 20 minutes. It's making me think that we need to change our model and move to 2 factor login processes like an OTP fob. Still require the userid/password combination but add an OTP to the login process. It doesn't eliminate the keystroke logger attack ( I did a paper on this back in 1996 and the end result was no one would accept an attachment from me :-)) entirely but if you tailor your OTP lifetimes, it is a better defense that what we have now. So, are any of you guys using OTP fobs as part of the login process? I'm only talking about logins and now digital signature type processes. -Randy Marchany VA Tech IT Security Office
Current thread:
- Re: Stats re: passwords, (continued)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)