Stories
Slash Boxes
Comments

SoylentNews is people

DHS Warns Against “Password Spray” Brute Force Attacks

posted by Fnord666 on Sunday May 12 2019, @01:41PM   Printer-friendly
from the horse-battery-staple-correct dept.

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.

It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."

Source: SC Magazine

Original Submission

 
This discussion has been archived. No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Sunday May 12 2019, @07:05PM (4 children)

    by Anonymous Coward on Sunday May 12 2019, @07:05PM (#842736)

    Your comment makes clear that you don't know what TOTP is and mistook it for password expiration.

    TOTP stands for Time-based One-Time Password. The output of the algorithm is equal to the HMAC-based One-Time Password of a secret key, but with the current Unix time as the counter and the window length. HOTP parameters are a hash algorithm, secret key, and a counter. First you take the shared secret key, put that into the HMAC algorithm using the agreed-upon hash and current time as a counter. You then take that result and truncate it by taking the four least significant bits to get an offset, which you then use to select 31 bits from your result using a different algorithm. That number is turned into a positive signed number. Then using the length of your TOTP password (d), you then take the number modulo 10^d to get your final returned value. That password is accepted for three password windows (past, current, future) to allow for skew in the clocks and password entry.

    The important notes are that current TOTP passwords cannot be used to figure out past or future TOTP passwords. Also, it only counts as something you have, because anyone that knows all the parameters can generate arbitrary TOTP values.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 2) by FatPhil on Sunday May 12 2019, @10:41PM (3 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Sunday May 12 2019, @10:41PM (#842782) Homepage
    > it only counts as something you have, because anyone that knows all the parameters can generate arbitrary TOTP values.

    Therefore it's something you *know*, not *have*, but I presume you mis-typed, as you seem to be mostly on top of things.

    > shared secret key

    However, not on top of things enough to be willing to address this issue from my gpp.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 1, Informative) by Anonymous Coward on Monday May 13 2019, @12:58AM (2 children)

      by Anonymous Coward on Monday May 13 2019, @12:58AM (#842808)

      No, it is a "have" because most people save the compiled list of parameters+key to an authentication app, (e.g. Google Authenticator, FreeOTP, or Authy), rather than keep it memorized and calculate it manually each time. This app, by definition, is a "soft token" and tokens are "something you have."

      And I wasn't trying to address your issue, I was addressing my parent's misunderstanding of what TOTP is. By its nature, you can't have a "salted and hashed" version of the secret key, because both sides have to have the same key, or the algorithm won't work. The second you salt it or hash it or whatever, the result just becomes another parameter to the algorithm or the new secret key, because both sides have to have the same information to calculate the same TOTP. That is a well-know and obvious pitfall of TOTP, but the algorithm was mean to cover a completely different threat model than passwords, not replace them.

      • (Score: 2) by FatPhil on Monday May 13 2019, @11:00AM (1 child)

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday May 13 2019, @11:00AM (#842947) Homepage
        Thanks for the clarification. Not being an "app" user, it wasn't obvious to me that the "app" would store the shared secret. It's a bit copyable for my liking, which I consider should be hard for a security token (something you have), contrasting against something you know, which is duplicated every time it's used.

        I write my password down on a post-it note, and am so lazy I enter it using OCR via the webcam - is that something I know, or something I have.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

        • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @02:43AM

          by Anonymous Coward on Tuesday May 14 2019, @02:43AM (#843237)

          A written-down password is something you know, changing the medium doesn't change the original threat model reason for that authentication mode. If you are having a hard time with this, think of the TOTP token like an SSH key. The fact that you could theoretically remember all the parameters and a hundreds, if not thousands, of bits long pseudorandom number doesn't change the fact that it is supposed to be something you carry around in the proper form for authentication, as opposed to being locked in your memory.