[2690] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Jun 5 03:30:29 1996
Date: Tue, 4 Jun 1996 14:39:41 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Valdis.Kletnieks@vt.edu
X-To: Shaun Lowry <s.lowry@march.co.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Tue, 04 Jun 1996 10:12:13 BST."
<31b3fdee0.11c8@rover.march.co.uk>
--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: text/plain; charset=us-ascii
On Tue, 04 Jun 1996 10:12:13 BST, you said:
> Is this not desirable? The longer they keep that good password, the worse it
> gets. Make them choose another good password!
You know, this is taken as an article of faith, but some days I'm not
so sure. Yes, the longer you use a password, the higher the chance
that it gets compromised - but notice that if you *change* the
password, you have a chance of being compromised immediately. Most of
the current attacks on passwords (sniffers, crack programs, et al) are
equally effective whether the password is 2 minutes old or 2 years
old.
I'd have to chunk out the statistics to be sure, but I have a feeling
that unless you set <max password lifetime> to be in the same range as
<time to run CRACK>, it doesn't really help matters any. The only
thing you're REALLY doing is changing the amount of time the hacker
can *USE* the password.
And let's face it - once the hacker HAS the password, he'll probably
install a backdoor that it doesn't MATTER if you expire his password.
This leads to the conclusion that what you *REALLY* want to do is:
1) Make sure you use Kerberos or other network authentication so you
never send it in cleartext...
2) *LET* the damn password be the same for years and years - *AFTER*
you've made sure that it's a Really Really Good password.
3) Remember that if you make them change it once a month, the average
quality will decay.... "Damn, it's that time again...".
--
Valdis Kletnieks
Computer Systems Engineer
Virginia Tech
--===_-1_Tue_Jun__4_14:39:40_EDT_1996
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.1
iQCVAwUBMbSC6tQBOOoptg9JAQHJ4wP/Yl8+D7d1BbIiK7RMd/y5K7/EScIZuVBA
KfRiBx2kYqHjApoGhiGLytHiExOa4eOFhRo4A2nuBgJTcPpgasesvclup++pQjAo
3ZryH2/m2qFUBbXHM4BUblThhc6L0Ide8ye3y2iESVFxgJRa7Kv1iH7/kGAe0Icj
VQVKwqdBIUw=
=0Glb
-----END PGP MESSAGE-----
--===_-1_Tue_Jun__4_14:39:40_EDT_1996--
