Educause Security Discussion
mailing list archives
Re: Password policy publication
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Tue, 28 Oct 2008 10:26:24 -0700
A brute-force attack may or may not require access to the password file.
An attacker could try an online brute-force attack by repeatedly trying to login over the network. There are tools,
such as THC Hydra, that allow an attacker to attempt this against a number of different protocols/authentication
methods. Obviously, this is not as fast as an offline attack and may trigger account lockout, IDS alerts, and result
in log entries, but if the passwords are weak it can work.
An offline attack is much more effective, but it does require that the attacker already has access to the password
file (or another repository). This doesn't mean that it isn't important.
Occasionally there are vulnerabilities in web applications or other software that allow an attacker to snag a copy of
the password file using only anonymous web access. Even when that is not the case, the password file is a coveted item
to an attacker. We have to assume that our systems will be breached from time to time even if we take care to secure
them. We may misconfigure something, or an attacker may be using a 0-day exploit (when no patch is available).
Unless an attacker has a narrow goal such as defacing a website, he will usually want to take steps to maintain his
access to a system and to leverage his access on one system to gain entry to the rest of the network. This is what
makes the password file so valuable to him. He may be able to get in using a remote 0-day exploit today, but that hole
may be patched in a week or two. If he can crack some legitimate accounts he can get back in without the exploit.
Cracking passwords is a good way to gain access to additional systems on a network because the passwords used on one
machine often work on others as well. The attacker will crack as many passwords as he can so that he can try those
credentials on other systems. It is easiest if the usernames are the same, but he may take the time to match up
accounts with different names; i.e. Bob Jones might be bjones on one system and jones.b or bob.jones on another. An
attacker may also use the passwords that he is able to crack to gain access to personal accounts or accounts on another
network. If he cracks Bob Jones' password and also notices that Bob sends himself email from bjones65 at hotmail.com,
he may take a stab at that account too.
We can't view security as being only about keeping people out; it's also about detection and containment. This is why
the concept of defense-in-depth is so important.
Steven Alexander Jr.
Online Education Systems Manager
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla,
Sent: Tuesday, October 28, 2008 7:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy publication
Doesn't this require stealing the password file, so that you can run the
brute-force attack? Or are we protecting from sysadmins who already have
access to the password file?