Firewall Wizards mailing list archives
Re: password aging
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Thu, 03 Sep 1998 20:00:20 -0700
Since others have asked that this thread be dropped, this will be my last comment. (It's certainly been an interesting thread [for some] and deserves discussion, but firewall-wizards is probably not the appropriate place for it.) I apologize to those who feel similarly that have waded through the discussion or hovered over the delete button. Paul McNabb wrote:
From steve () aztech net Tue Sep 1 03:27:15 1998 Password changes are logged and audited to the same degree. Accounts are currently "locked out" after N unsucessful attempts to change the password. (False, but true enough for a public statement) Granted, the previous policy will need to be rethought.The concept of blocking accounts based on failed attempts to change the password is similar to blocking accounts because of bad login attempts. The idea of locking accounts after N unsuccessful login attempts is a mechanism that almost always introduces new, dangerous scenarios. In particular, it allows an anonymous attacker to block an account. Issues that need to be considered include the following. Not all apply to a password modification attempt in the same way as for a bad login attempt, but the questions may stimulate some extra analysis.
It's actually an extension of the failed authentication lockout. We requirethe user to re-authenticate prior to a password change (standard practice) If the re-authentication fails, the bad-logins counter is bumped for that user. The intent is to prevent an unattended session from being usurped completeley. (I think we're on the same page, here.)
Can an "administrator" account be so blocked? The implications of this should be immediately obvious. Once an attacker has broken in, he can block anyone that may be a danger to him so that he can take his time doing his damage.
Administrator accounts live in a different name-space and are notaccessable by the primary users of the system. Admin accounts can only be accessed via the administrative network. With physical access to the system, the god-admin account can be retaken, if compromised (doubtful that it would be for reasons that I won't discuss in public.).
Do accounts require human intervention to become unblocked? I can think of horrible problems trying to unblock an account at odd hours or in crunch times. How about if 20,000 accounts have been blocked? This may be considered a DOS attack with administrator availability as the resource being attacked.
Staffing is 24x7. Self-service is available, and requires more (confirmed)information than is required for registration. The self-service option also has a maximum failure limit, at which point human intervention is required. 20K locked out accounts would be a third-level support issue (me) and would take about an hour to undo (well, more time, with the paperwork involved.) It would take an attacker longer to lock the accounts out than it would to fix them. It's highly likeley that the attacker would be shunned before it reached anything close to that level. DOS attacks are highly preferred to outright compromises, in any event.
Should other factors be considered before blocking the account (e.g., time of day, source of login attempt, "type" of account or user, etc)?
Yes. (and they are.)
Should other factors be considered when unblocking an account (e.g., unblocking occurs automatically after X seconds/minutes, an automatically unblocked account requires a "secondary authentication" during the login sequence, etc.)?
Yes. (and they are.)
I'd recommend carefully considering a blocking mechanism before going ahead with one. There are too many issues that could end up causing major headaches.
We have.
paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
-- Steve
Current thread:
- RE: password aging, (continued)
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)