Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Account Lockouts
From: Martin Dion (martin.dionabovesecurity.com)
Date: Thu Dec 02 2004 - 12:04:07 CST
There is a few efficient ways to tests those password but you need to
take some preventive measure not to wreak havoc the system :)
1- Copy the password files and crack them offline
2- Decrypt the password file and analyze the 'clear' password (that must
be done in a tight and controlled environment)
3- If it's a Windows Server setup, create a backup domain, once it is
synchronize with the master controller, unplug it from the production
network, de-actate the account lockout policy, and run a password
cracker on a separated network with only the cracking machine and the
backup domain controller.
4- Restore the access control server (Unix or Windows) on a new machine
and run the previous setup.
You can use LC5 from AtStake to test brute force both Unix and Windows
based authentication servers.
Have a nice day!
Martin Dion, CISM
Chief Technology Officer
FIRST Representative - AboveSecCERT
Phone: (450) 430-8166 #103
Cell: (514) 831-5427
This message and any attachments are confidential and intended solely
for the addressee. If you have received this message in error please
delete it and notify Above Security immediately, telephone number (450)
430-8166. Any unauthorized use, alteration or dissemination is
prohibited. Above Security accepts no liability whatsoever for any loss,
whether it be direct, indirect or consequential, arising from
information made available and actions resulting there from.
From: Harrison Gladden [mailto:hgladdengmail.com]
Sent: December 1, 2004 12:52 PM
To: webappsecsecurityfocus.com; secprogsecurityfocus.com
Subject: Account Lockouts
My question to the group is about handling account lock outs. Here's
the situation, assume there is a web interface that lets users log in
and do stuff, but the log-in process is constrained by the network
restrictions as well.. Meaning if a user tries to log in X times in Y
seconds and fails each time, then the account get locked out.
What are successfull techniques that could be used on the web
interface to avoid having a script run against it that would
potentially lock out 15000 user accounts, and create a headache for
the system administrators who have to manually unlock each account?
Also assume the current user account names are known by everyone.
Possible techniques we've thrown around:
1) Allow each user to pick their own username instead of using a
standard (i.e. First 3 letters of first name + Full last name)
2) Create a set time-out period for each account of X (maybe an hour)
Hopefully my question makes sense.
Harrison Gladden <hgladdengmail.com>
Computer Engineer & Science Major
~Past experience: He who never makes
mistakes, never did anything that's worth.~