Educause Security Discussion
mailing list archives
Re: Password policy publication
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Tue, 28 Oct 2008 13:08:18 -0500
Personally I think that lockouts, in most cases, are simply a way
to easily DOS users. Strong passwords prevent brute force guesses,
and don't prevent the legitimate user from doing their work.
At 11:01 AM 10/28/2008, Shalla, Kevin put fingers to keyboard and wrote:
So the systems are not configured to lock an account after a certain
number of failed password attempts? Isn't brute force by definition dumb,
and it doesn't try just common passwords (and so try billions of
passwords)? Or maybe brute-force is smarter now, and first does a
dictionary attack, then uses strings containing the username, etc.. But
still, isn't it going to try hundreds, if not thousands of passwords?
On Tue, October 28, 2008 9:32 am, Roger Safian wrote:
At 09:26 AM 10/28/2008, Shalla, Kevin put fingers to keyboard and wrote:
Doesn't this require stealing the password file, so that you can run the
brute-force attack? Or are we protecting from sysadmins who already have
access to the password file?
Not really...I've seen brute force attempts many times in my logs.
You just try common passwords, and hope for the best.
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058 (voice)
(847) 467-6500 (Fax) "You're never too old to have a great childhood!"