[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sg-dc
Subject:    RE: [sg-dc] Brief paper about passwords at cryptonomicon.net
From:       "Robert Weiss" <rweiss () itaco ! com>
Date:       2003-06-04 14:09:54
[Download RAW message or body]

Certainly a dictionary attack that directly attacks the hashed/stored
password is one of the possibilities to be considered in developing a secure
system (particularly if the file that stores the hashes is compromised.)
However, a dictionary attack that comes in through the front door by
automating the guessing of passwords and feeding in the dictionary of
guessed passwords is also a possibility.  I am surprised at how many systems
allow for unlimited guesses and rapid return of results.  One of the best
ways to protect passworded accounts is to simply slow down the speed of the
response (just as the application to pause for 1 second) and to lock the
account after a certain number of incorrect guesses.  This would stop an
automated guessing script cold (and may give the administrator early warning
that something is happening.)  I would add these two features to best
password coding practices.

Robert Weiss
Account Manager
ITA Corporation
2401 Research Boulevard, Suite 350
Rockville, MD  20850
(301) 948-4471
FAX:  (301) 948-9639
CELL:  (240) 876-7921
rweiss@itaco.com
http://www.itaco.com
Financial, HR, Project and Front-Office System Design and Implementation
Wide-Area Network Design and Implementation

-----Original Message-----
From: sg-dc-admin@securitygeeks.com
[mailto:sg-dc-admin@securitygeeks.com]On Behalf Of Larry Cohen
Sent: Tuesday, June 03, 2003 5:08 PM
To: sg-dc@securitygeeks.com
Subject: [sg-dc] Brief paper about passwords at cryptonomicon.net


From time to time I consult with startups in the Bay
Area and Northern Virginia. I recently had an argument
with a security implementor at one of these companies
about how to implement a specific password feature. We
decided to trust the judgement of a disinterested
third party and asked Matt Hamrick to whip up a brief
"Best Practices for Developers Implementing Security
Features." Matt did a brilliant job (which is to say
we agree on some of the guidelines for developers
working on password management systems.) I though it
might be of interest to others on this list. You too
might be having a spat with someone about whether
such-and-such a technique is considered a best
practice or what-not.

Matt's paper is available at
http://www.cryptonomicon.net/modules.php?name=Sections&op=viewarticle&artid=
21

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

_______________________________________________
sg-dc mailing list
sg-dc@securitygeeks.com
http://securitygeeks.shmoo.com/mailman/listinfo/sg-dc


_______________________________________________
sg-dc mailing list
sg-dc@securitygeeks.com
http://securitygeeks.shmoo.com/mailman/listinfo/sg-dc
[prev in list] [next in list] [prev in thread] [next in thread]