Re: Dial-Up Percentage Abuse
From: Nathan Vack (njvack@lithium.hsl.wisc.edu)Date: 06/07/02
- Previous message: measl@mfn.org: "Re: Dial-Up Percentage Abuse"
- In reply to: Chris: "Dial-Up Percentage Abuse"
- Next in thread: Rob Shein: "Re: Dial-Up Percentage Abuse"
- Reply: Rob Shein: "Re: Dial-Up Percentage Abuse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 07 Jun 2002 12:49:48 -0500 From: Nathan Vack <njvack@lithium.hsl.wisc.edu> To: Chris <brahma@mendolink.com>
Chris wrote:
> As in someone brute forcing/guessing/conning a password for a dial-up
> account and using that account to launch attacks on systems and do generally
> malicious things. I am trying to show the importance of forcing customers
> to select secure passwords (8 char+ w/ numbers, letters and other printable
> char) to my staff. Any suggestions would be great.
Sorry, I don't have a study, but let me to theoretical for a second
(very round numbers used here):
- Assume a username is known
- Assume the attacker knows the password to be contained in a 10,000
word dictionary
- Assume a dial-up and password try takes 5 seconds on average
- Assume dialing up is free (not true in many parts of the US, at least)
This means that the attacker need make 10,000 attempts in the worst-case
or roughly 5,000 attempts on average to be guaranteed a compromise. If
every try takes 5 seconds we're dealing with:
5,000 * 5 = 25,000 seconds = just under 7 hours for an average compromise.
Not too good.
However, if you're using, say, 5 character, all lowercase passwords (not
very good, as far as passwords go), you've got:
26^5 = 11,881,376 passwords to try, so 5,940,688 seconds for an average
compromise. Crypto folks know that the charater distribution won't
acually be uniform so a good heuristic might bring this down significantly.
Say you're still looking at something on the order of 1,000,000 attempts
on average.
Then you've got about 1388 hours = about 57 days for an average
compromise. Rather better.
You should be finding out every time someone tries the wrong password --
brute forcing attacks through a login portal of your design should be
very loud attacks indeed. Dial-ups are worse, even -- here in Wisconsin,
we pay something on the order of $0.04 per call.
All bets are off if the attacker grabs the password file. Then 1,000,000
attempts are over in seconds or less.
My personal philosoply is that complex passwords invite people to write
them on bits of paper taped to the screen. I'm a fan of keeping a
*tight* eye on /etc/shadow, adding delays to auth failures, good logs,
and training users on password hygene and social engineering. It's hard
enough to keep people form writing passwords on stuff when they *can*
remember them.
Just my $0.02.
-Nate
HSL Systems
UW Madison
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: measl@mfn.org: "Re: Dial-Up Percentage Abuse"
- In reply to: Chris: "Dial-Up Percentage Abuse"
- Next in thread: Rob Shein: "Re: Dial-Up Percentage Abuse"
- Reply: Rob Shein: "Re: Dial-Up Percentage Abuse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
