[cap-talk] Do Strong Web Passwords Accomplish Anything?

Lorens Kockum cap-talk-193 at tagged.lorens.org
Wed Jul 22 18:00:13 EDT 2009 

On Wed, Jul 22, 2009 at 03:40:30PM +0000, Karp, Alan H wrote:
> Rob Meijer wrote:
>
> > I thus feel that the 3 strikes approach is bad, at least for
> > 'user' accounts.
>
> Three strikes is bad, but 9 strikes is quite good.  A study
> published in "Usability and Security" shows that after a
> first failed attempt, only 30% got their password right
> with two more tries, but over 90% got it within the next 8.

The problem with nine tries is variation of username. There
are hit-parades of passwords chosen frequently by users.  Out
of 100 000 accounts with run-of-the-mill users with freely
chosen passwords, there are statistically a goodly number with
passwords out of the top three, and of course even more with
passwords in the top ten.

Somewhat randomizing usernames is good but not always feasible.

One needs to monitor the frequency of denied requests per IP
(proxied IPs...), and probably factor in the number of tries on
different user names, especially inexistent usernames.

To avoid blocking proxied IPs, factor in number of
successful logins from that IP. If HTTP, consider looking at
X-Forwarded-For.

I believe / hope that there are security systems out there that
monitor such things.

> That means you need more than 20 bits of entropy, but 24
> should be sufficient.

I'm not sure how you calculate the entropy, but I suppose it
implies non-user-chosen passwords...

> Slowing down the retries also helps.  

Definitely slow down the retries. Also after a certain number
of tries one can insert a random failure even if the password
is correct (but I think the real users should be informed about
that).

While we're off topic into general password security, there is a
problem with some devices that retry the same password over and
over in spite of refusal (think multiple physical IMAP clients
for one account and mandatory periodic password changes). I
think those repeats should be removed from the "n strikes", but
I haven't found a recipe for that with something like FreeRadius
(in thirty seconds of googling ;-))

-- 
Lorens

More information about the cap-talk mailing list