Firewall Wizards mailing list archives
Re: password aging
From: Paul McNabb <mcnabb () argus-systems com>
Date: Thu, 3 Sep 1998 15:10:22 -0500 (CDT)
From steve () aztech net Tue Sep 1 03:27:15 1998 Password changes are logged and audited to the same degree. Accounts are currently "locked out" after N unsucessful attempts to change the password. (False, but true enough for a public statement) Granted, the previous policy will need to be rethought.
The concept of blocking accounts based on failed attempts to change the password is similar to blocking accounts because of bad login attempts. The idea of locking accounts after N unsuccessful login attempts is a mechanism that almost always introduces new, dangerous scenarios. In particular, it allows an anonymous attacker to block an account. Issues that need to be considered include the following. Not all apply to a password modification attempt in the same way as for a bad login attempt, but the questions may stimulate some extra analysis. Can an "administrator" account be so blocked? The implications of this should be immediately obvious. Once an attacker has broken in, he can block anyone that may be a danger to him so that he can take his time doing his damage. Do accounts require human intervention to become unblocked? I can think of horrible problems trying to unblock an account at odd hours or in crunch times. How about if 20,000 accounts have been blocked? This may be considered a DOS attack with administrator availability as the resource being attacked. Should other factors be considered before blocking the account (e.g., time of day, source of login attempt, "type" of account or user, etc)? Should other factors be considered when unblocking an account (e.g., unblocking occurs automatically after X seconds/minutes, an automatically unblocked account requires a "secondary authentication" during the login sequence, etc.)? I'd recommend carefully considering a blocking mechanism before going ahead with one. There are too many issues that could end up causing major headaches. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: password aging, (continued)
- Re: password aging Stephen P. Gibbons (Sep 01)
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)