[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Mon Jan 2 19:58:23 EST 2012

On Mon, Jan 2, 2012 at 7:12 PM, Craig B Agricola <craig at theagricolas.org> wrote:
> On Sun, Jan 01, 2012 at 03:16:39AM -0000, John Levine wrote:
>> Where's this log?  Wherever it is, it's on a system that also has their
>> actual password.
>> If I wanted to reverse engineer passwords, this doesn't strike me as a
>> particularly efficient way to do so.
>> R's,
>> John
> Well, the log is presumedly unencrypted on the same machine that has a
> *hash* of their actual password.  It takes a lot longer to crack against
> the hashed password list than it does to scan the log for these type of
> log messages, which they can then check against the hashed password
> database quickly and easily.  I agree with Kevin that this scenario
> isn't enough justification for the overhead and user annoyance that is
> forced password rotation, but it's not an unreasonable scenario to want
> to mitigate.  Some web servers even make it easy to accidentally export
> the logs, since often HTTP is the access method of choice for the people
> who actually should be able to review the logs...

Agree that cracking effort far exceeds the effort of scanning the logs,
but keep in mind that in most cases, if you can break in and have the
password hash readable, then you likely already have admin permissions
and it's game over. (E.g., consider that /etc/shadow usually only readable
by root and group 'shadow'.) OTOH, depending on where you log such
failures, that may or may not be word readable. (It really shouldn't be,
but many times it is.) And even if you are using syslog and a remote
log server and sending this to some SIEM product, keep in mind that
those monitoring these logs via a SIEM usually do not have superuser access
on those servers.

But, please understand that I was not trying to imply that this means
that periodically requiring password changes is a good idea. Generally,
it's a bad idea when we try to enforce a one-size-fits-all security policy
to everything. One needs to evaluate this on a risk basis on a case
by case basis.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list