Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Steve Werby <smwerby () VCU EDU>
Date: Thu, 15 Apr 2010 11:24:49 -0400
On 4/14/2010 10:47 AM, Valdis Kletnieks wrote:
On Wed, 14 Apr 2010 09:39:06 EDT, "Jones, Dan" said:Strong passwords deter brute-forcing attacks (as does the practice of locking an account after X number of failed login attempts).Yes, but once the password reaches a not-too-large size, account locking is quite sufficient to make brute-forcing impractical.
For a vertical attack, perhaps. But if your usernames are the left-hand side of your email addresses and the attacker can scrape email addresses from the web or enumerate your address book, then perform a horizontal or diagonal attack, brute force attacks are *very* practical. GoHok1es or Bl@cksburg? And I suspect most universities don't have controls to detect or mitigate such attacks. My guess is that more guessed university passwords involve attacks in which the attacker isn't too particular about which accounts he acquires passwords to. I consider the biggest password related failure of the information security community to be that we demand that users memorize their passwords (or alternately "don't write them down"). Sure, we don't want them to attach them to their monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their wallet inside their pocket and written down in a way that doesn't clearly reveal them? Or storing them in an encrypted password vault? We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk. Long + unique + write them down securely Aging? I agree there's value in limiting the length of time that an attacker has undetected access. But in terms of mitigating a brute force attack, the math just doesn't support extremely frequent aging. -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
(Thread continues...)