Educause Security Discussion mailing list archives
Re: Brute force credentials protection
From: Dexter Caldwell <dexter.caldwell () FURMAN EDU>
Date: Tue, 5 Mar 2019 16:13:47 +0000
The article makes valid points, we've been ok with using the threshold though with something less than 15 attempts. Yes, it does require users to learn how to change passwords. This is a repercussion of single-signon. But keep in mind, the pain is also relative to your password expiry and even complexity settings, so my advice is that we should use password policy tools with the right mix to our advantage rather than excluding any options from the toolbag by policy. -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Maud, Phil Sent: Tuesday, March 5, 2019 6:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Brute force credentials protection This makes interesting reading https://ravingroo.com/295/active-directory-account-lockout-policy-threshold-counter-strong-password/ Regards Phil Maud Information Security Analyst Information Services, Building 63 (IT) G7 E: P.H.Maud () cranfield ac uk T: +44 (0) 1234 75 4879 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Mike Dronen Sent: 04 March 2019 20:04 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Brute force credentials protection All - Looks like it's been a while since this topic has come up in the forum. I'm wondering how you protect against brute force password attempts, i.e. two-factor auth. In our environment we set an attribute in AD to lock the user account for a prescribed period of time after four failed attempts. This appears to work for us. Just wondering if there are other mechanisms just as good or better? Thanks.
Current thread:
- Brute force credentials protection Mike Dronen (Mar 04)
- Re: Brute force credentials protection Maud, Phil (Mar 05)
- Re: Brute force credentials protection Laverty, Patrick (Mar 05)
- Re: Brute force credentials protection Dexter Caldwell (Mar 05)
- <Possible follow-ups>
- Re: Brute force credentials protection Mike Dronen (Mar 05)
- Re: Brute force credentials protection randy (Mar 05)
- Re: Brute force credentials protection Brad Judy (Mar 05)
- Re: Brute force credentials protection Tom Horton (Mar 05)
- Re: Brute force credentials protection Greg Williams (Mar 06)
- Re: Brute force credentials protection randy (Mar 05)
- Re: Brute force credentials protection Francisco Chavez (Mar 05)
- Re: Brute force credentials protection Maud, Phil (Mar 05)