Re: UNIX password auditing tool and the search for dictionaries too

In terms of this comment to whoever posted it (sorry, I don't remember who it was):

> >Strong passwords are the number one source of denial of service in most

How is it a high cost for security??? I've always found having someone come down and asking
for their id and some other mode of face to face identification makes it pretty easy to reset someone's
password. If you simply take advantage of all that garbage they pull on a lot of websites, like your security question is what's your mother's maiden name, you can get around them showing you a fake id...yeah, there are ways of finding out someone's info, but nothing is secure. It's the foundation of your plan that guides your performance.

In terms of your dos attack, i might be misreading your question, but strong passwords being dos'd or brute forced (if you consider a really fast brute force attack a dos; i don't, but some do), a lot of places will put a piece of crap machine as their password authentication for their network. yeah, you may have a lot of people logging on and may get periodically bogged down, but you need to find the right machine that'll cause the correct amount of lag. say for a "normal" company (my idea, not necessarily yours) you have 200 people. probably, on average they log on maybe 2-3 times/day...some only once, some maybe 10 times, and those on vacation never...so give them 3 times/day. if you have a fast machine doing password checks and it takes only a second for the logon sequence (password verification), it'll be about 600 seconds or 10 min (200 people x 3 logons/day x 1 sec)...theoretically, of course. if i want to brute force the machine i can do 60/sec. take a crap machine, stable mind you just a slower processor, that takes 10 seconds to verify a password and you've dropped to 6 attempts/sec. Yeah, you do go from 10 min/day of verification to 50 min (if my math is correct) so that's something you need to consider when you think about if it's worth it or not...after finding a reasonable value, it is to me. You could consider it an easier target for dos b/c it's much slower, but then again, you also have to take into consideration this...if you're gonna try to get in using someone's password, why would you attack a crap machine that's exceptionally slow...i'd just stand behind them while they type in their password. i might've missed part of your statement, so if i did...i apologize.

after reading your statement, one more thing...if strong password authentication causes a lot of dos b/c people are trying to logon constantly w/the wrong password b/c of password changes, why are you even letting them attempt to logon so many times? if a person mistypes their password 3-5 times, the account should either be deactivated until that person comes and gets you or for a certain number of minutes. print a nice pretty message to the user that this has happened and send yourself a note also so you can go find them if need be. there are holes to that one just like anything (i.e. your boss doesn't like it), but like i said before, nothing's really perfect. if dos'ing occurs b/c people keep entering the wrong password, that's more your fault than theirs. out of curiosity, where did you find it saying that dos is the number one problem w/strong passwords??? adam

• Original Message ----- From: "Michael Martinez" <mmartinez@tamsco.com> To: <security-basics@securityfocus.com> Sent: Thursday, August 07, 2003 4:48 PM Subject: RE: UNIX password auditing tool and the search for dictionaries too

> >Before you go too far with strong passwords, remember, they do more
-
> --------------------------------------------------------------------------

--

>

>




---------------------------------------------------------------------------
----------------------------------------------------------------------------