assurance - [Assurance] Re: Password Strength Requirements
Subject: Assurance
List archive
- From: Jon Miner <>
- To:
- Subject: [Assurance] Re: Password Strength Requirements
- Date: Wed, 08 Aug 2012 14:53:23 -0500
On 8/8/12 1:51 PM, Joe St Sauver wrote:
Benn asked:
#- Is anyone (considering) maintaining a simple failed authentication
#counter per-password, and expiring the password once the counter reaches
#the limit permitted by the complexity for the level (Bronze/Silver) of
#interest? (ie: no lockout, no scheduled expiration)
My concern with employing that approach would be that it could easily be
exploited for a trivial denial of service attack: strobe all discernable
accounts with sufficient attempts to trigger expiration, then watch
a synchronized flood of users who can't successfully change their old
(now expired) passwords deluge your help desk/account clerk for manual
assistance. (Yes, I know that users should be able to readily change
their passwords, but as a practical matter, that may be an unfounded
expectation.)
Forced password changes is particularly tricky if password changes cannot
be accomplished "in-line." That is, in the old days when it was all just
shell access to time sharing hosts, an expired password could be handled
in-line just by dumping the user into the password changing facility
directly. However, once users begin authenticating via POP and IMAP clients,
and VPN clients, and every other application under the sun, it gets a lot
harder to cleanly force them to a reset facility, and of course, phishing
makes advising them by email difficult, and the list of complications goes
on...
This is largely why we have just ignored this at Madison. Fear of the DoS, difficulty in communicating the situation to the user, etc.
It's an ugly situation.
jon
--
.Jonathan J. Miner------------------Division of Information Technology.
|
University Of Wisconsin - Madison|
|608/262.9655 Room 3148 Computer Science|
`---------------------------------------------------------------------'
Reason #6 to quit your job and move to Key West: Everybody stares at me when
I drink margaritas at meetings.
-- Christopher Shultz and David L. Sloan, "Quit your job an move to Key
West"
- [Assurance] Password Strength Requirements, Benn Oshrin, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Eric Goodman, 08/08/2012
- RE: [Assurance] Password Strength Requirements, Dergenski, Todd A., 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Tom Scavo, 08/09/2012
- <Possible follow-up(s)>
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, David Bantz, 08/08/2012
- [Assurance] Re: Password Strength Requirements, Jon Miner, 08/08/2012
- Re: [Assurance] Re: Password Strength Requirements, Stefan Wahe, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Brendan Bellina, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Joe St Sauver, 08/08/2012
- Re: [Assurance] Password Strength Requirements, Cantor, Scott, 08/08/2012
Archive powered by MHonArc 2.6.16.