On Jul 18, 2009, at 4:38 AM, Damian Myerscough wrote:
Hello,
Just out of curiosity how do you let your users change their
passwords?
Adding to this, do you have a forgot password feature that perhaps
gives them passwords to a master control panel of some form?
Did you distribute their passwords to them via an email at some point
in time? If a password exists in email, some worm will find it and
reveal it to someone else at some point in time.
I suspect the problem you are having has nothing to do with the
strength of your password policy. You could have users with passwords
of a very simple nature, and that would probably not change your
troubles.
Even the most well thought out password will be compromised if there
are ways to do so outside of a dictionary attack. In your case, I
think you need to determine what the details are of your users who are
being compromised. What is their platform, what email client do they
use, etc. I would bet that Linux and Mac are not in that mix, if they
are not, you can start to look into what virus/worm/trojan does this
sort of malicious act, and provide a simple tool to remove it for your
users.
If it is phishing attacks, there is little you can do, as you will
simply not be able to educate your users. You may consider sending
them off to openDNS, or implementing such features yourself, as they
have built in phishing url detection. Using something like FireFox or
Safari that has phishing url detection built in will help as well.
At this point, I would find the cause, so you can work to solve it, I
strongly suspect it has nothing to do with password quality.
Have you looked at the IP space of the AUTH's that come in one a
compromised account? You may find they all come from the same place,
if you have no users in that space, blackhole that IP space from
authing.
--
Scott * If you contact me off list replace talklists@ with scott@ *
