Assurance

["Cantor, Scott" <>]

On 8/8/12 5:04 PM, "Joe St Sauver" 
<>
 wrote:
>
>Are you talking about examples where passwords needed to be changed in
>bulk? If so, consider this public example:

I'm talking about a mass DOS attack using the lockout as the vector.

>Moreover, if you're maliciously inclined, it's easy enough to demonstrate
>the futility of the "if brute forced, trigger password required password
>reset" -- pick a highly influential person at your site (President, VP,
>Provost, CIO, highest-funded campus researcher, talented-but-grumpy DBA,
>or whatever), then trigger the brute force equals must change password
>rule. First time it happens, if you're lucky, they'll grumble but they'll
>hopefull go along with picking a new password.

Yeah, but. I'd get caught. That's the argument. Could I plausibly do a
real hack and not get caught? Yeah, probably, but that's not the view of
the decision makers.

Again, you're proposing theoretical technical/wonky attacks that mean
nothing to the non-techies here. They laugh at it.

>Every environment will be different, and I don't mean to imply that any
>one answer is right for every school. Whatever works for a given site is
>terrific, from my POV. I'm just suggesting that some policies can have
>subtle but potent side effects that bear consideration.

I'm asking if this is a theory or a proven downside of lockout that
schools have observed.

-- Scott