In a perfect world this should be done at all layers of your application, both at the front end and at the back end.  At the front end, this is usually easy, as you control the application, and the code that goes into it.  Adding a module like this is pretty easy.  On the back end you’ve got less options available to you.  You are pretty much at the mercy of your database vendor on this one.

However the database vendors have heard our requests for more security in the platforms and they have begun to respond.  As an example Microsoft SQL Server has since the release of SQL Server 2005 included the ability to have the SQL Logons follow the same security requirements as Windows Logons on the Windows Active Directory domain.  (Other database vendors may offer similar features, but as I mostly use Microsoft SQL Server I’m not aware of them.  If you are please feel free to comment below.)

Now with this comes some risk.  Because if you were to enable these settings and someone did try to break into the database server using this account, the account would lock out.  This is both good and bad.  Its good because they aren’t able to continue the attack, however its also bad because your business application isn’t able to log into the database either.

Open source apps such as WordPress are starting to get these features added into them.  There’s a plugin for WordPress called “Login LockDown” which allows the WordPress admin site to lock it self down if the same person gets the password wrong more than n number of times.  The options are totally configurable by the blog owner, so you can set your settings as high or as low as you want.

So, what’s the point of all this you ask?  It’s pretty simple, and it is easier when you look at the math.  Assume you wanted to attack a system which takes 1/10th of a second to check a password.  Using the characters on the standard keyboard (letters, numbers, symbols) you’ve got ~94 characters to work with.  Assuming an 4 character password of say “test” there are 78074896 character combination to try.  Assuming you try all the combination (just to make sure you get the correct password) it will take about 90 days to test all the options.  Now if every 5 failed attempts we lock the account for one hour that test times goes from 90 days to 3012 years (if I’m done my math correctly).

The next question then becomes, why would anyone take 90 days to break my password.  The answer is that they wouldn’t.  They would use more than one machine to reduce that 90 days down to a more manageable number.  If using 10 computers and you break with workload up evenly across the 10 computers that 90 days, is now 9 days.  20 computers will get it done in 4.5 days.  50 computers will get it done in 1.8 days.  All of a sudden by simply throwing a few computers at the problem the password gets broken very quickly.  Now longer passwords will make this take longer, but if you have a system which people really want to break into they could get access to one of the large botnets and have 100,000 computers work on breaking into your site.  Even with a very strong password, it wouldn’t take all that long to brute force your way into your passwords.

The only sure fire way to stop someone from brute forcing there way into your accounts is to lock those accounts after the password has been tried incorrectly several times.  Don’t make the limits to low that your customers can get into there own services, but don’t make them so loose that people can break into those services.

Denny

I just received this text message “First Heritage Bank Alert: Your CARD has been DEACTIVATED. Please contact us at 877-649-1737 to REACTIVATE.”. Now I know this is a scam for a couple of reasons.

1. I don’t have an account with First Heritage Bank
2. A bank wouldn’t text me to have them call me.
3. They’d tell me to call without providing a number, instead telling me to use the number on my card.
4. They’d identify the account which has a problem.

If you see this don’t call them. I’d say report it to your local law enforcement but they probably don’t really care, and probably won’t do anything about it. Good luck if you decide to call your local law enforcement.

Denny

P.s. Sorry for any spelling issues. This was posted from my blackberry. I’ll spell check from home.

The most common way for people to remember there passwords is to write them down.  The most common place to store these passwords that have been written down is under the keyboard.  I’ll bet if you walked around the company you work for at night (especially in a non-technical part of the company) and start flipping keyboards over you’ll find a bunch of peoples passwords.

While some of these people may not have access to information which is all that important, I’ll bet a few people that you’ll run across have access to some interesting stuff.  (For the love of god don’t start using there passwords, that’s just asking to get fired.)

Some middle ground needs to be found between passwords which a 3 year old can guess such as “password” and 30 character passwords that have to be reset every day because the person can’t remember there password.

The easiest way to create a secure, yet easy to remember password is to use a passphrase instead of a password.  There’s a couple of different ways to do this.

1. Use an entire phrase just without the spaces.  Make sure to use caps where needed, and stick a number or two in there so that it meets the requirements.  This will give you a nice long password that is hopefully easy to remember.  Something like “ThisIsMyR3allyL0ngPassword-No1CanFigureItOut” is perfect.  It’s very long, has numbers, upper and lower case letters, and a symbol.  And when your auditor comes by asking how long your password is, you can tell him 44 characters.
2. The second technique is to take a song lyric or line from a poem and use the first letter of each word.  Now be sure not to actually say the phrase out loud since it won’t take long for someone to figure out what you are using for your password.  After you have your phrase stick a couple of numbers in there and make some letters upper and lower case and you are done.  As an example if I were to use the title of this article as a password it could be “Itap-1nuyk”.  It’s still easy for me to remember for no one else will remember it.

When using these sorts of long secure passwords you protect not only your company but yourself.  Everything you do at work is traceable by the company, which means that anything that someone else does when logged into the company network as you can be tracked as well.  While this is good, it means that because your username and password were used to access the network it is assumed that everything which was done was done by you, and you’ll be the one getting in trouble for what ever the other person did.

Protect yourself, protect your company.  Use a long password, but don’t write it down.

Denny