Stories
Slash Boxes
Comments

SoylentNews is people

DHS Warns Against “Password Spray” Brute Force Attacks

posted by Fnord666 on Sunday May 12 2019, @01:41PM   Printer-friendly
from the horse-battery-staple-correct dept.

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.

It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."

Source: SC Magazine

Original Submission

 
This discussion has been archived. No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by pipedwho on Monday May 13 2019, @04:08AM

    by pipedwho (2032) on Monday May 13 2019, @04:08AM (#842836)

    And don't forget the two digits at the end that usually equal the multiple of timed expirations that have occurred since they started working at the company.

    Years ago I was a working with a big company that had their password database (plaintext naturally) compromised. Everyone was forced to reset their password (for Nth time since they had a 3 month password expiration policy) - and naturally they'd been conditioned to use their usual tricks for modulating their passwords. In a penetration test, our guys ran the old password system against the newly reset passwords and 90+% of the passwords were a simple modulation of a base password (mostly just adding 1 to a counter, or a date).

    We recommended they get rid of their time password expiration policy and only force password resets for good reasons. Told them to get rid of the upper/lower/number mix and just increase the minimum password length to 12 digits. Users were given methods to avoid using 'bad' words for their passwords (like usernames, dates, counters, etc). Passwords were no longer kept plain text (but that doesn't help protect against easy to guess passwords when compromised hash tables can be attacked). And the users were explicitly told they had to change their password due to a compromise, and would no longer be asked to periodically change their passwords, so should come up with something secure.

    After the next password reset, our pen testers could only get into about 0.5% of the accounts with a week long effort of dictionary attacks, modulations on the cracked password database, and targeted attacks on information gleaned from user social media profiles. Half a percent is pretty good for this sort of thing. Most companies come in orders of magnitudes worse when they create stupid password policies.

    On a positive note, NIST has changed their best practice password strategy to explicitly recommend not using timed password expiration, and also not to require a mix of uppercase/lowercase/digits.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2