On Mon, Jan 2, 2012 at 7:12 PM, Craig B Agricola <[email protected]> wrote: > On Sun, Jan 01, 2012 at 03:16:39AM -0000, John Levine wrote: >> Where's this log? Wherever it is, it's on a system that also has their >> actual password. >> >> If I wanted to reverse engineer passwords, this doesn't strike me as a >> particularly efficient way to do so. >> >> R's, >> John > > Well, the log is presumedly unencrypted on the same machine that has a > *hash* of their actual password. It takes a lot longer to crack against > the hashed password list than it does to scan the log for these type of > log messages, which they can then check against the hashed password > database quickly and easily. I agree with Kevin that this scenario > isn't enough justification for the overhead and user annoyance that is > forced password rotation, but it's not an unreasonable scenario to want > to mitigate. Some web servers even make it easy to accidentally export > the logs, since often HTTP is the access method of choice for the people > who actually should be able to review the logs...
Agree that cracking effort far exceeds the effort of scanning the logs, but keep in mind that in most cases, if you can break in and have the password hash readable, then you likely already have admin permissions and it's game over. (E.g., consider that /etc/shadow usually only readable by root and group 'shadow'.) OTOH, depending on where you log such failures, that may or may not be word readable. (It really shouldn't be, but many times it is.) And even if you are using syslog and a remote log server and sending this to some SIEM product, keep in mind that those monitoring these logs via a SIEM usually do not have superuser access on those servers. But, please understand that I was not trying to imply that this means that periodically requiring password changes is a good idea. Generally, it's a bad idea when we try to enforce a one-size-fits-all security policy to everything. One needs to evaluate this on a risk basis on a case by case basis. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
