[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forgerock-opendj
Subject:    [Opendj] RE :  Password policies
From:       "Belleville-Rioux, Vincent" <rioux.vincent () uqam ! ca>
Date:       2014-04-16 13:18:17
Message-ID: 0AD36E0192997748BD28BC68B14C75D0DCE6AE () Lettre ! gst ! uqam ! ca
[Download RAW message or body]

I believe the flaw is not limited to AD because if we use OpenDJ as the aut=
hentication system for things like wireless networks, devices may be hammer=
ing the directory with previous passwords as soon as one user changes his p=
assword legitimately.

The "feature" is the ability to distinguish between a bad password attempt =
and a previously-used password attempt.  Both should not enable an user to =
authenticate, but only the bad password attempt should cound towards accoun=
t lockout.

Scenario:

1 - User changes his password through legitimate means.
2 - The user's mobile phone is authenticated to the WPA enterprise network =
and thus tries to reauthenticate endlessly with the previous password.
3 - The user is locked-out.

At that point, the user will keep getting locked-out until he updates his d=
evice, which may be a problem if the device in question is out of the premi=
ses (at home) during that time. =


There is also a side issue because the user will not be allowed to reuse hi=
s old password.  He thus cannot go back and replace his old password in hop=
es of getting out of this loop.

I find the AD "fix" very clever and it does make it possible to distinguish=
 between an attack and a simple loop issue.

Vincent


________________________________________
De : opendj-bounces@forgerock.org [opendj-bounces@forgerock.org] de la part=
 de Ludovic Poitou [ludovic.poitou@forgerock.com]
Date d'envoi : 16 avril 2014 09:11
=C0 : OpenDJ discussion list
Objet : Re: [Opendj] Password policies

Hi Vincent,

To me, the link is not presenting a feature but a question pointing to
a flaw in the implementation of Active Directory.
So what is the expected feature ?

Regards,

Ludovic


On Wed, Apr 16, 2014 at 2:52 PM, Belleville-Rioux, Vincent
<rioux.vincent@uqam.ca> wrote:
> Hi,
>
> Does OpenDJ have such a feature :
>
> http://blogs.technet.com/b/instan/archive/2012/09/17/why-doesn-t-a-user-g=
et-locked-out-after-a-number-of-invalid-password-attempts-greater-than-the-=
domain-account-lockout-policy.aspx
>
> Vincent
>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
>
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic