Firewall Wizards mailing list archives

Re: password aging

From: Paul McNabb <mcnabb () argus-systems com>
Date: Thu, 3 Sep 1998 15:10:22 -0500 (CDT)

 From steve () aztech net  Tue Sep  1 03:27:15 1998
 
 Password changes are logged and audited to the same degree.  Accounts
 are currently "locked out" after N unsucessful attempts to change the
 password.  (False, but true enough for a public statement)
 
 Granted, the previous policy will need to be rethought.


The concept of blocking accounts based on failed attempts to change the
password is similar to blocking accounts because of bad login attempts.
The idea of locking accounts after N unsuccessful login attempts is
a mechanism that almost always introduces new, dangerous scenarios.
In particular, it allows an anonymous attacker to block an account.
Issues that need to be considered include the following.  Not all
apply to a password modification attempt in the same way as for a bad
login attempt, but the questions may stimulate some extra analysis.

Can an "administrator" account be so blocked?  The implications of
this should be immediately obvious.  Once an attacker has broken in,
he can block anyone that may be a danger to him so that he can take
his time doing his damage.

Do accounts require human intervention to become unblocked?  I can
think of horrible problems trying to unblock an account at odd hours
or in crunch times.  How about if 20,000 accounts have been blocked?
This may be considered a DOS attack with administrator availability
as the resource being attacked.

Should other factors be considered before blocking the account (e.g.,
time of day, source of login attempt, "type" of account or user, etc)?

Should other factors be considered when unblocking an account (e.g.,
unblocking occurs automatically after X seconds/minutes, an automatically
unblocked account requires a "secondary authentication" during the login
sequence, etc.)?

I'd recommend carefully considering a blocking mechanism before going
ahead with one.  There are too many issues that could end up causing
major headaches.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------

Current thread:

Re: password aging, (continued)
- Re: password aging Stephen P. Gibbons (Sep 01)
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
  - Re: password aging Stephen P. Gibbons (Sep 01)
    - Re: password aging Joseph S. D. Yao (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
  - Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
  - Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
  - Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
  - Re: password aging Stephen P. Gibbons (Sep 06)