Educause Security Discussion
mailing list archives
Re: Password policy publication
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 28 Oct 2008 12:14:04 -0400
On Tue, 28 Oct 2008 11:01:00 CDT, "Shalla, Kevin" said:
So the systems are not configured to lock an account after a certain
number of failed password attempts?
An amazing number of sites in fact don't do that, sometimes for a good
reason. Consider that if you *do* lock accounts, then the attacker can
intentionally blow the password count on all your sysadmin userids - at
which point you can't logon and deal with the attacker. We actually had
this happen to us - outside office hours, the hacker locked out all our
system guys, and then had a *lot* of fun in the 20-30 minutes it took to
get somebody onsite who could login at the console (which didn't have
a lockout set).
And then there's the even more numerous sites that try to set up account
locking, but fail to do it for *every* place. Sure, your Windows boxes and
Active Directory may do locking - but did you check *every* web app that
does authentication to make sure it does it as well? Your webmail server?
Those 5 creeping horror applications that Student Billing runs to let
students look at their bills online? And so on...