[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Ryan (Rjd0060) changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #13 from Ryan (Rjd0060) --- Closing - this can be revisited later if necessary, pending further discussion elsewhere. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #12 from Andreas F. Borchert --- I would like to second Neozoon in his comment above. The logins of the OTRS admins are well known. This discussion is in the public. To set PasswordMaxLoginFailed is an open invitation for the next vandal to get all OTRS admins locked out. Do not think that such incidents are unlikely. As Wikimedia and the support team are well known entities, it is just a question of time when eventually such an attack will be launched. This is not an "acceptable tradeoff," we would look like fools in the moment when it happens. And it does not matter whether PasswordMaxLoginFailed is set to 3, 10, 100, or whatever. Any limit can be reached if a vandal has the intention to launch this attack. I would recommend to protocol any login failures, to evaluate these logs every n minutes, and to block the IP addresses that generate more than m login failures within n minutes. Similar strategies tend to work out against brute force attacks on ssh logins. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #11 from Andreas F. Borchert --- I am not convinced that security is improved by setting PasswordMaxValidTimeInDays to low values as suggested, i.e. 180 days. Frequently enforced password changes force people to write their passwords down, to use passwords that can be more easily memorized, and/or to use some schemes that help them to remember changed passwords (e.g. changing just the last character of a password). All this weakens security. Here is a good essay by Gene Spafford regarding changing passwords: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Neozoon changed: What|Removed |Added CC||neoz...@gmx.net --- Comment #10 from Neozoon --- I think it is not a good idea to install the PasswordMaxLoginFailed check if it really disables the account. The accountnames are all known. There are only 9 admin accounts (all login names known) that need to be attacked and the OTRS is locked down if an attacker does 90 login attempts with these accounts. This risk is much higher than the risk of a brute force attack on passwords that would require massive amount of login attempts and can not be successful if the passwordstrength rules are enabled. Best regards Neozoon -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #9 from Jeff Green --- Regarding PasswordMaxLoginFailed I squinted at code and config and the feature does not appear to pay any attention to client host. I'm not sure whether that's good or bad--if it were host-specific it would be pretty easy to bypass. But whereas lockouts are usually time-based (i.e. 3 failed attempts gets you locked out for 10 minutes) I don't see anything in the code having to do with timers or auto unlock. I could be missing something. If this is in fact the case, and lockout requires manual intervention by an other admin, I would suggest we set it to ~10. I understand the DOS concern but IMO it's an acceptable tradeoff for not leaving ourselves wide open to brute force attacks. We can easily disable the lockout feature if it becomes a problem. Password length--6 is way too short, especially without other features to slow down brute force attacks. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #8 from Patrik --- While I like the idea of PasswordMaxLoginFailed in principle (because you can currently make endless attempts to crack an account), I see a problem with it here. (To my dislike) the list of login names is published. If PasswordMaxLoginFailed is enabled, someone could easily disable all accounts. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #7 from Emufarmers --- To clarify, simply disabling accounts after x invalid logins presents a clear DoS vector. Anything like this needs to be done on a per-hostname basis. See https://bugzilla.wikimedia.org/show_bug.cgi?id=9816#c13 and related discussions. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Emufarmers changed: What|Removed |Added CC||emufarm...@gmail.com --- Comment #6 from Emufarmers --- None of these features seem desirable, except the minimum password length (it's somewhat astounding that that wouldn't be built into OTRS, though). 6 would probably be a sane value. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #5 from Ryan (Rjd0060) --- Sounds good to me. Is 5 a bit high for 'PasswordMaxLoginFailed'? I'd feel better around...3. 4 if you insist. But that's just me. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #4 from Jeff Green --- There are some configuration options to decide on. Here are the basics: Enforce a password renewal after X (configurable) days. Password-History to use the password X (configurable) times not to use again. Disable account after x invalid login attempts. Minimum size of the password. At least 2 small and 2 big letters in a password. At least 2 letters in a password. At least one number in a password. My suggestions: PasswordMaxValidTimeInDays 180 PasswordMaxLoginFailed 5 PasswordMinSize 10 PasswordHistory 3 (can't reuse the last 3 passwords) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Bug 61101 depends on bug 60271, which changed state. Bug 60271 Summary: Upgrade OTRS to the latest 3.2.x version https://bugzilla.wikimedia.org/show_bug.cgi?id=60271 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 --- Comment #3 from Jeff Green --- My vote is to keep OTRS as a standalone and use the Znuny4OTRS Password Policy package. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Andre Klapper changed: What|Removed |Added Priority|Unprioritized |Normal Severity|normal |enhancement -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 p858snake changed: What|Removed |Added CC||p858sn...@gmail.com --- Comment #2 from p858snake --- (In reply to comment #1) > One question, do you have a LDAP directory at Wikimedia? So you could use the > authentication from this. Otherwise I also recommend to use Znuny4OTRS > Password > Policy. Yes, Labs ("Wikitech")/Gerrit is using LDAP as a backend. Although moving everyone over might be a pain. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 61101] Install "Password Policy" add-on to OTRS for improved security
https://bugzilla.wikimedia.org/show_bug.cgi?id=61101 Martin Edenhofer changed: What|Removed |Added CC||m...@znuny.com --- Comment #1 from Martin Edenhofer --- One question, do you have a LDAP directory at Wikimedia? So you could use the authentication from this. Otherwise I also recommend to use Znuny4OTRS Password Policy. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l