Re: Detecting Brute-Force and Dictionary attacks
- From: "Greg Metcalfe" <metcalfegreg@xxxxxxxxx>
- Date: Tue, 14 Nov 2006 07:51:58 -0800
On Monday 13 November 2006 12:44, you wrote:
i fully agree that solutions submitted here are suggestions and might not
apply for all contexts, but I'm sure it helps to create new solutions and
ideas that might be valid for many of the current architectures, so in my
opinion, all suggestions here are still valid!
what u suggest to perform AAA ? just curious as you suggest, i guess youThere are ways (of varying intrusiveness) to tighten up password usage in many
organizations. Exact procedures should depend upon the nature of the
organization, but it might be wise to change the almost boilerplate text
found in most corporate security policies that prevents passwords from being
written down, to enforcement of strong passwords, and allowing them to be
written down. The requirement would then change to proper protection of that
list, by keeping it in a wallet, adding it to a card hanging behind an ID
badge (if such is used), etc.
Security officers might even consider implementing a system (on a hardened
host) which creates a list of strong passwords, as even well-intentioned
users are often terrible at this. Such a system would have to be very
carefully implemented, of course, and important aspects would be human
factors which for some reason are often considered last, if at all. Those
human factors go beyond the obvious enforcement requirements having to do
with proper list protection.
For instance, you might want to record issued passwords or their hashes. If
so, you might want to record them on removable media, perhaps stored in the
tape safe. That could be a practicality and/or enforcement issue. Another
example would be in specifying password strength tests. The effectiveness of
this lies partly in the comprehensiveness of dictionaries. How many languages
are spoken within the organization? Do HR policies allow this information to
be collected and used? How is it updated? On a more purely technical note,
are specialized dictionaries, such as dictionaries of Shakespearean
characters, relevant technical terms, etc., available?
I don't think that password authentication has become completely useless, but
I do contend that it needs to be evaluated carefully in the context of the
OTOH, an organization with many people doing lots of Web surfing done from
Microsoft platforms might be well advised to move to certificates. Keystroke
loggers installed by 'drive by' are just too common, can now capture virtual
keyboards as well, etc. Attacks with the same payloads, but delivered over
IM, etc., will also become increasingly common, while encryption and/or
covert channels will make it increasingly hard to detect compromised machines
as they phone home. Hmmm, this para is getting off-topic for a Linux list.
Problems with certificates might include such things as aging them
appropriately, educating users in how to protect them, compatability with
existing network applications, etc.
Choosing a system depends on a security officer and his/her staff (if any)
having a good knowledge of the systems in place, the general security
knowledge of not only the admin staff, but the general user base (and there's
truly a gorilla in the room on this issue), and of course the threat model.
I do ramble on, don't I? Sorry about that, particularly if you're already
aware of all of this. But the list is getting a CC, and I'm sure some of the
members are *not* aware of all this.
"Personally, I'm against the whole idea of authenticating via passwords, at
least as corporate password policies are currently and commonly implemented"