Re: password aging

["Stephen P. Gibbons" <steve () aztech net>]

Since others have asked that this thread be dropped, this will be my last
comment.
(It's certainly been an interesting thread [for some] and deserves
discussion,
but firewall-wizards is probably not the appropriate place for it.)  I
apologize
to those who feel similarly that have waded through the discussion or hovered

over the delete button.

Paul McNabb wrote:

> >  From steve () aztech net  Tue Sep  1 03:27:15 1998
> >
> >  Password changes are logged and audited to the same degree.  Accounts
> >  are currently "locked out" after N unsucessful attempts to change the
> >  password.  (False, but true enough for a public statement)
> >
> >  Granted, the previous policy will need to be rethought.
>
> The concept of blocking accounts based on failed attempts to change the
> password is similar to blocking accounts because of bad login attempts.
> The idea of locking accounts after N unsuccessful login attempts is
> a mechanism that almost always introduces new, dangerous scenarios.
> In particular, it allows an anonymous attacker to block an account.
> Issues that need to be considered include the following.  Not all
> apply to a password modification attempt in the same way as for a bad
> login attempt, but the questions may stimulate some extra analysis.

It's actually an extension of the failed authentication lockout.  We
requirethe user to re-authenticate prior to a password change (standard
practice)  If the re-authentication fails, the bad-logins counter is bumped
for that user.  The intent is to prevent an unattended session from being
usurped completeley.  (I think we're on the same page, here.)

> Can an "administrator" account be so blocked?  The implications of
> this should be immediately obvious.  Once an attacker has broken in,
> he can block anyone that may be a danger to him so that he can take
> his time doing his damage.

Administrator accounts live in a different name-space and are notaccessable
by the primary users of the system.  Admin accounts can
only be accessed via the administrative network.  With physical
access to the system, the god-admin account can be retaken, if
compromised (doubtful that it would be for reasons that I won't discuss
in public.).

> Do accounts require human intervention to become unblocked?  I can
> think of horrible problems trying to unblock an account at odd hours
> or in crunch times.  How about if 20,000 accounts have been blocked?
> This may be considered a DOS attack with administrator availability
> as the resource being attacked.

Staffing is 24x7.  Self-service is available, and requires more
(confirmed)information than is required for registration.  The self-service
option also
has a maximum failure limit, at which point human intervention is required.
20K locked out accounts would be a third-level support issue (me) and
would take about an hour to undo (well, more time, with the paperwork
involved.)  It would take an attacker longer to lock the accounts out than
it would to fix them.  It's highly likeley that the attacker would be shunned

before it reached anything close to that level.  DOS attacks are highly
preferred to outright compromises, in any event.

> Should other factors be considered before blocking the account (e.g.,
> time of day, source of login attempt, "type" of account or user, etc)?

Yes.  (and they are.)

> Should other factors be considered when unblocking an account (e.g.,
> unblocking occurs automatically after X seconds/minutes, an automatically
> unblocked account requires a "secondary authentication" during the login
> sequence, etc.)?

Yes.  (and they are.)

> I'd recommend carefully considering a blocking mechanism before going
> ahead with one.  There are too many issues that could end up causing
> major headaches.

We have.

> paul
>
> ---------------------------------------------------------
> Paul McNabb                     Argus Systems Group, Inc.
> Vice President and CTO          1809 Woodfield Drive
> mcnabb () argus-systems com        Savoy, IL 61874 USA
> TEL 217-355-6308
> FAX 217-355-1433                "Securing the Future"
> ---------------------------------------------------------

--
Steve