Re: Not so much a bug as a warning of new brute force attack

Valdis.Kletnieks@vt.edu
Tue, 4 Jun 1996 14:39:41 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: bastard: "rexec brute"
Previous message: Albert Lunde: "Re: Not so much a bug as a warning of new brute force attack"
In reply to: Shaun Lowry: "Re: Not so much a bug as a warning of new brute force attack"
Next in thread: mdr@vodka.sse.att.com: "Selecting Good Passwords"

--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: text/plain; charset=us-ascii

On Tue, 04 Jun 1996 10:12:13 BST, you said:
> Is this not desirable?  The longer they keep that good password, the worse it
> gets.  Make them choose another good password!

You know, this is taken as an article of faith, but some days I'm not
so sure.  Yes, the longer you use a password, the higher the chance
that it gets compromised - but notice that if you *change* the
password, you have a chance of being compromised immediately.  Most of
the current attacks on passwords (sniffers, crack programs, et al) are
equally effective whether the password is 2 minutes old or 2 years
old.

I'd have to chunk out the statistics to be sure, but I have a feeling
that unless you set <max password lifetime> to be in the same range as
<time to run CRACK>, it doesn't really help matters any.  The only
thing you're REALLY doing is changing the amount of time the hacker
can *USE* the password.

And let's face it - once the hacker HAS the password, he'll probably
install a backdoor that it doesn't MATTER if you expire his password.

This leads to the conclusion that what you *REALLY* want to do is:

1) Make sure you use Kerberos or other network authentication so you
never send it in cleartext...

2) *LET* the damn password be the same for years and years - *AFTER*
you've made sure that it's a Really Really Good password.

3) Remember that if you make them change it once a month, the average
quality will decay.... "Damn, it's that time again...".


--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                Virginia Tech



--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.1

iQCVAwUBMbSC6tQBOOoptg9JAQHJ4wP/Yl8+D7d1BbIiK7RMd/y5K7/EScIZuVBA
KfRiBx2kYqHjApoGhiGLytHiExOa4eOFhRo4A2nuBgJTcPpgasesvclup++pQjAo
3ZryH2/m2qFUBbXHM4BUblThhc6L0Ide8ye3y2iESVFxgJRa7Kv1iH7/kGAe0Icj
VQVKwqdBIUw=
=0Glb
-----END PGP MESSAGE-----

--===_-1_Tue_Jun__4_14:39:40_EDT_1996--

Next message: bastard: "rexec brute"
Previous message: Albert Lunde: "Re: Not so much a bug as a warning of new brute force attack"
In reply to: Shaun Lowry: "Re: Not so much a bug as a warning of new brute force attack"
Next in thread: mdr@vodka.sse.att.com: "Selecting Good Passwords"