Security Incidents mailing list archives

Re: Dial-Up Percentage Abuse


From: Nathan Vack <njvack () lithium hsl wisc edu>
Date: Fri, 07 Jun 2002 12:49:48 -0500

Chris wrote:

As in someone brute forcing/guessing/conning a password for a dial-up
account and using that account to launch attacks on systems and do generally
malicious things.  I am trying to show the importance of forcing customers
to select secure passwords (8 char+ w/ numbers, letters and other printable
char) to my staff.  Any suggestions would be great.

Sorry, I don't have a study, but let me to theoretical for a second (very round numbers used here):

- Assume a username is known
- Assume the attacker knows the password to be contained in a 10,000 word dictionary
- Assume a dial-up and password try takes 5 seconds on average
- Assume dialing up is free (not true in many parts of the US, at least)

This means that the attacker need make 10,000 attempts in the worst-case or roughly 5,000 attempts on average to be guaranteed a compromise. If every try takes 5 seconds we're dealing with:
5,000 * 5 = 25,000 seconds = just under 7 hours for an average compromise.

Not too good.

However, if you're using, say, 5 character, all lowercase passwords (not very good, as far as passwords go), you've got: 26^5 = 11,881,376 passwords to try, so 5,940,688 seconds for an average compromise. Crypto folks know that the charater distribution won't acually be uniform so a good heuristic might bring this down significantly. Say you're still looking at something on the order of 1,000,000 attempts on average. Then you've got about 1388 hours = about 57 days for an average compromise. Rather better.

You should be finding out every time someone tries the wrong password -- brute forcing attacks through a login portal of your design should be very loud attacks indeed. Dial-ups are worse, even -- here in Wisconsin, we pay something on the order of $0.04 per call.

All bets are off if the attacker grabs the password file. Then 1,000,000 attempts are over in seconds or less.

My personal philosoply is that complex passwords invite people to write them on bits of paper taped to the screen. I'm a fan of keeping a *tight* eye on /etc/shadow, adding delays to auth failures, good logs, and training users on password hygene and social engineering. It's hard enough to keep people form writing passwords on stuff when they *can* remember them.

Just my $0.02.

-Nate
HSL Systems
UW Madison


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com


Current thread: