> From: Ben Scott [EMAIL PROTECTED] > Subject: Re: Audit recommendation
> > On Dec 24, 2007 6:45 AM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > I'm not sure why you think that brute forcing a password that is 14-15 > > characters long is so simple. > > A dumb brute force attack -- one that just tries every possible > character in sequence -- is very simple, just also very slow to run. > A "smart" brute force attack is not simple to implement, but can guess > the sort of weak passwords most people use much quicker. "much quicker" is how much quicker? If you're just talking a few orders of magnitude quicker, then it's still not feasible. > And you're the one who keeps imposing the 15 character length. If we > instead assume a typical user password -- say, made up of common names > and dates -- we reduce the keyspace dramatically. Well, it's possible to eliminate the user using their username (and I suppose also their first and last names) from any password (SBS has a passfilt.dll that does this). But, that all said, using a passphrase allows you to (relatively) easily concoct a password of >15 characters, with no great difficulty. I was born on 6th February My birthday is 6th Febraury 6th Februrary is my Birthday 06-02-1970 is my birthday 06-02-70 is the date of my birth an enormous possible range of passwords just involving a birthday. > > ... even with the example provided, if the user changes just a couple of > > characters ... > > And what if they *don't*? And what if they give their password to a stranger on the street in return for a chocolate? > That is is my point. Well, you'd need to *enforce* a limit, and you'd need to *educate* people not to use obvious passwords. And *even* if they use some information that is publicly available, if the possible number of combinations is in the millions or so, then account lockout would still make that type of attempt infeasible, and your monitoring software should alert you to the brute force attack. > Given that this isn't exactly rocket science to implement (maybe a > few dozen lines of code in C), Wouldn't we need to synchronise failed attempts across all DCs? And keep a counter of failed attempts, and the timeframe from the first attempt? And would it apply to all logon types? or just interactive? Cheers Ken ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
