2007-04-09 Security Link Of The Day

Time to bang my own trumpet - occasionally I receive requests to address a particular customer's requirement, viz: three strikes lockout where if a person fails to log in to a system (eg: mistyping a password) - and if they fail to log-in three times in succession, then some manner of portcullis drops and the resource is barred from further access. The account gets locked, in the same-old way that was popular on even-then-antiquated mainframes back when I was a student, some 20 years ago.

So I wrote this explanation of my thoughts upon the matter:

"Three-Strikes" Password Security Considered Antiquated, Hazardous, Stupid and Wrong.

(...deletia...)

The problems of "three-strikes" in the modern enterprise environment are legion: in modern distributed authentication directories - NIS, LDAP, etc - there is no typically no central authority who is counting the number of failed authentication attempts, generally for technical reasons. For example: LDAP is deeply sub-optimal for poking little bits of data like that back to a central place, for immediate propagation to all replicas. No immediacy == no security.

Even if there were a central authority that brokered this sort of information it would be subject to flooding attacks by miscreants who could tie-up that one service and thereby prevent anyone from authenticating in your enterpise, with significant business impact.

You cannot architect around this risk by including a "timeout" or other "we've tried checking whether the user has struck-out but got no reply, so we'll let him in anyway" mechanism, because that defeats the whole point of the policy.

Anyway - what merits being called "authentication" nowadays? Would you like it if you changed your system password, and then - having walked away for a coffee - your automatic IMAP-enabled mail client goofed-up three authentications and locked you out of your own system because you forgot to update the client?

(continues...)

- Alec

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today