Women in Technology

Hear us Roar



Article:
  Protect Yourself Against Kerberos Attacks
Subject:   password cracking
Date:   2004-03-08 00:46:40
From:   jwenting
Of course ANY authentication scheme that relies on only username and password can be cracked using repeated attempts.


This is why most password protected resources will limit the number of unsuccessful login attempts over a time period to a reasonably low number that still guarantees a typo won't lock the user out forever.


For increased security extra services will be required such as limiting login attempts (or better yet hiding the server from all but) a known trusted range of network addresses (either logical addresses such as IP ranges or stronger still physical addresses like MAC addresses or other hardware specific data, possibly a combination of all these).


By using both hardware authentication combined with allowing only known network addresses AND username/password authentication you can at least be sure that any attempt comes from inside the known network AND from a known machine on that network.
If you have people using l0phtcrack on the internal LAN it should then be easy to catch them by logging the number of repeated fail attempts from a single connection and having some alarm rigged to security if there's an unusual number of fails from a given location (say more than 5 attempts in a 10 minute interval to the same account, or attempting to log into 5 accounts in that same interval).


Adding smartcards into the equation makes it even easier to pinpoint the source of the intrusion attempt.
If the computer will function only with a smartcard inserted (and if you allow network access only from known computers you can enforce that by allowing only computers onto the LAN that you know have a smartcard reader blocking the hardware) and the smartcard ID transmitted as part of the authentication data you will know whose card it is and therefore be able to pinpoint the responsible user (unless his card was stolen but the user should report that enabling you to disallow the smartcard access to the network).
Using biometrics can of course provide even better security, allowing access only when an irisscan or fingerprint are provided and authenticated (possibly in combination with a smartcard storing the same AND a username/password combo, depending on the level of security you want).

Full Threads Oldest First

Showing messages 1 through 3 of 3.

  • password cracking
    2007-11-16 15:08:01  greatgrahambini [View]

    You misunderstood the article. This is an OFFLINE attack, meaning that the attacker sniffs some cipher text, then takes that cipher text and attempts to guess the password that produced it by encrypting it himself. This cannot be detected or prevented by limiting login attempts because the attacker won't login until he has discovered a valid password offline.
  • password cracking
    2004-06-13 07:54:34  TCBz [View]

    Adding variable parameters can enlarge the amount of variations to eternity.


    _______________________
    Translated by Mail-Translator
  • password cracking
    2004-05-25 18:13:07  rwb00 [View]

    But this is an offline attack, so all that needs to be done is sniff one authentication attempt and no trackable attempts will be logged/denied.