Re: Measures of detecting breached email accounts

[Joseph Tam <tam () MATH UBC CA>]

On Thu, 7 Dec 2017, Valdis Kletnieks wrote:

> On Thu, 07 Dec 2017 00:09:46 -0800, Joseph Tam said:
> > I've seen both diffuse and intensive failed logins -- neither are
> > worth looking at from a security standpoint.  It's not uncommon for
> > me to see thousands of guesses against one account, especially against
> > administrative accounts.
>
> Are you employing any sort of rate limiting or temp lockout/block when these
> thousands are flooding in from off campus?

On some systems (e.g. ssh), yes.

However, for mail authentication, consecutive failures followed by
success is typical of people who change their password, but neglect to
update the cached password in their reader.  Or they enter the wrong
password to start with, then walk away, then come back to find
they haven't authenticated properly.

If your talking an office worth of people or a small set of highly locked
down accounts, OK, look at it.  But on a scale of 10K users, forget it.

In the scenario your talking about, a typical scenario might be a third
party password compromised that leads to the intruder trying variation at
your site.  This will usually be detected by locale anlysis, which can
operate at scale.

In another scenario, s student shoulder surfs an office staff members,
gets a rough idea of keyboard location of the password, then tries variations
from your local WiFi.  That's tough, and I concede if you investigated
that, it could have caught the student.  However, as I pointed out, the
problem is differentiating this from the 100x more likely scenario that
someone fat fingered their password.

Joseph Tam <tam () math ubc ca>