Re: Stats re: passwords

[randy marchany <marchany () VT EDU>]

It's been an interesting thread so far :-). One of the advantages of
being an old geek is that you realize that some of today's traditional
defenses were designed to combat 20-25 year old threats. I mentioned
in my blog a while ago that account lockouts were the ONLY defense
against brute force password attacks  25 years ago because Unix/VMS
and other OS at the time had NO password strength mechanisms. That's
obviously changed now but we still use account lockouts which IMHO
cause account lockout attacks to impact an org. Spaf's blog says
basically the same thing. Ironically, it was probably Spaf's Practical
Unix Security book that help propagate this practice. Someone read it
in the 90's, wrote it in a 2000 checklist, someone reads that
checklist and puts it in a 2003 checklist, etc.

So, we need to constantly check and verify our passwords in order to
avoid complacency with regard to password strength rules.

Since the 2007 shootings, our office has had a lot of experience
running password guessing tools like Ophcrack (my favorite especially
with the rainbow tables feature) to break into machines. We've been
cracking upper/lower case passwords (no #'s or special chars) up to 16
characters in less than 20 minutes.

It's making me think that we need to change our model and move to 2
factor login processes like an OTP fob. Still require the
userid/password combination but add an OTP to the login process. It
doesn't eliminate the keystroke logger attack ( I did a paper on this
back in 1996 and the end result was no one would accept an attachment
from me :-)) entirely but if you tailor your OTP lifetimes, it is a
better defense that what we have now.

So, are any of you guys using OTP fobs as part of the login process?
I'm only talking about logins and now digital signature type
processes.

-Randy Marchany
VA Tech IT Security Office