[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password policy - alternate lockout mechanism

To: "Howard Chu" <hyc@symas.com>, "Aravind Gottipati" <aravind@freeshell.org>
Subject: RE: password policy - alternate lockout mechanism
From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
Date: Wed, 28 Jan 2009 17:28:46 -0500
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <4980D453.3060808@symas.com>
References: <a1348d630901261702h2bc88204o2b21b549e18e936a@mail.gmail.com> <497F4421.5030700@symas.com> <a1348d630901271107t2d5514b4t399c741bf7b00d6e@mail.gmail.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0623@EXVG.fanniemae.com> <38622554-0C30-4C95-BCDB-9452FC24DA8B@OpenLDAP.org> <C65F80C878CCF24A9BC19646DE2DCA62021C0628@EXVG.fanniemae.com><a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com> <4980D453.3060808@symas.com>
Thread-index: AcmBk29/vOQq+r4sTyukx37FSFAm5wAALB3Q
Thread-topic: password policy - alternate lockout mechanism

>> Also, I am not sure how this will be any greater security risk than
>> the current system of storing a SSHA hash of the current password
>> within LDAP?  We could store similar hashes of all the passwords
tried
>> (upto pwdMaxFailure) and compare against that?
>
>I'm wondering if that's even necessary. According to your description
so far, 
>it would be sufficient to only store 1 failed password. If as you say,
the 
>same password is tried multiple times, then this should be good enough.

The caveat to this is that if you have two or three or N different
passwords tried (one by an app that has the old password, one 
because of a fat finger mistake, etc in no particular order), how 
do you know which one to store?  I think you'd have to store a hash 
of all failed passwords tried within the window of time defined.

I'm thinking the values would look something like:

<timestamp>;{<scheme>}<hash>

The timestamp would be the most recent time this was seen,
scheme is crypt/sha/ssha/etc matching whatever is in the 
userpassword attribute, and hash is the encrypted password.

If the number of values in this attribute exceed the number 
of max fails allowed, the account is locked.  Timestamp is
needed to eventually expire and remove it.

The problem I would be concerned about is if this was really
under a brute force attack, the number of values in this attribute
could grow very quickly.  Would it be reasonable to only store
the last pwdMaxFailure passwords tried?  I think maybe it would,
but haven't really thought it through yet.

Jeff

Follow-Ups:
- Re: password policy - alternate lockout mechanism
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

References:
- password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- RE: password policy - alternate lockout mechanism
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
- Re: password policy - alternate lockout mechanism
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>
- RE: password policy - alternate lockout mechanism
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: password policy - alternate lockout mechanism
Next by Date: Re: Oracle back_sql support question openldap-2.4.11
Index(es):
- Chronological
- Thread