|
BonHair posted:Agreed, but if you want to play devil's advocate, you could argue that credential stuffing meant that by locking the account after 3 attempts, the bot wouldn't be able to try it's full arsenal of leaked plaintext passwords for the email address/account name. Yeah, but if it's trying a small number of stuffed credentials, it can easily spread that out over any required amount of time. Locking an account after 3 bad attempts is just going to further introduce the human element.
|
# ? Sep 22, 2022 20:49 |
|
|
# ? Apr 25, 2024 06:52 |
|
Cup Runneth Over posted:Hot take: There is zero* good reason to lock a user out after 5-10 failed password attempts. Brute forcing takes millions of attempts, whereas 5-10 is well within the margin of error for a normal user and inconveniences them more than hackers. Nah. If you have failed to put in a password correct 5+ times, something is wrong. You are not more likely to get it correct after 5 more attempts, and its most certainly going to frustrate an attacker who might have a vague notion of what your password is.
|
# ? Sep 22, 2022 21:41 |
|
CommieGIR posted:Nah. If you have failed to put in a password correct 5+ times, something is wrong. You are not more likely to get it correct after 5 more attempts, and its most certainly going to frustrate an attacker who might have a vague notion of what your password is. what if you password is hunter13, after all?
|
# ? Sep 22, 2022 21:55 |
|
CommieGIR posted:Nah. If you have failed to put in a password correct 5+ times, something is wrong. You are not more likely to get it correct after 5 more attempts, and its most certainly going to frustrate an attacker who might have a vague notion of what your password is. Something like caps lock or num lock? Its pointless and arbitrary, if your password is trivial enough to guess in 3-5 attempts then it doesn't matter anyway
|
# ? Sep 22, 2022 21:58 |
|
<5 or whatever is less a defense against brute forcing and more a defense against using creds from breaches. it's not about "trivial enough to guess" at all
|
# ? Sep 22, 2022 22:34 |
|
holy poo poo it turns out that security controls have usability tradeoffs
|
# ? Sep 22, 2022 22:35 |
|
Mr. Crow posted:Something like caps lock or num lock? Its pointless and arbitrary, if your password is trivial enough to guess in 3-5 attempts then it doesn't matter anyway What if they only know part of the password is what I meant. But you also have to realize half of the most common passwords in Enterprise environments is something like Summer2022!? So yeah. Achmed Jones posted:<5 or whatever is less a defense against brute forcing and more a defense against using creds from breaches. it's not about "trivial enough to guess" at all Yup. People tend to be habitual with password reuse even when changing them. It's part of why passphrases are the recommended standard to encourage longer passwords but also doing away with password rotations to make them easier on the user.
|
# ? Sep 22, 2022 22:39 |
|
poo poo, every time I have to change my laptop password it takes me at least 5 attempts in the groggy rear end morning mode before I even remember "oh yeah, I had to change it yesterday". Then it's probably a few more attempts on trying to remember what stupid phrase I used this time and dumb rear end characters used for padding.
|
# ? Sep 23, 2022 00:46 |
|
sometimes i accidentally hit the "layout" button on my keyboard and don't notice it. since my workstation isn't unlocked, i can't type in a notepad doc or w/e to detect it. i've probably never gone over 10 tries before i figured it out, but definitely 5. it takes me 2 or 3 on a semi-regular basis, so i won't even start to know something's up until i hit 4 or 5
|
# ? Sep 23, 2022 01:01 |
|
Exponential backoff on failed attempts is probably a good way to get people to stop and think before they hit enough failures to be locked out and need to contact support to get unlocked.
|
# ? Sep 23, 2022 01:22 |
|
50 failed attempts in a 24 hour period and exceeding that threshold requires a new password to be set.
|
# ? Sep 23, 2022 01:23 |
|
I dunno, pal, if I have a password that can’t be guessed in 50 tries, I’m keeping that for life.
|
# ? Sep 23, 2022 01:26 |
|
And just never be able to log into anything with it ever again...this checks out.
|
# ? Sep 23, 2022 01:27 |
|
Subjunctive posted:I dunno, pal, if I have a password that can’t be guessed in 50 tries, I’m keeping that for life. Rumplestiltskin
|
# ? Sep 23, 2022 01:30 |
Because AD is dumb as poo poo and can't do smart lockout like Azure AD or anything else. https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/set-the-account-lockout-threshold-to-the-recommended-value It doesn't stop any semi-competent bad actor anyways, since they're trying to extract your password hash or just break in some other easy way. No one is going to brute force AD except JoAnn from accounting who forgets her password every week or $idiot_IT_employee who writes a script that accidentally locks out half the environment with bad password attempts before it gets stopped. Obviously you should have a SIEM and audit monitoring in place before doing anything like this. The default account lockout protection is flimsy trash, but if it's all you got probably don't turn it off.
|
|
# ? Sep 23, 2022 02:20 |
CommieGIR posted:What if they only know part of the password is what I meant. There used to be 30 day rotations and several users figured out they could just use $month + $password. Discovered that this was common practice via sticky notes describing such. The system only remembered the last 10 so if you changed it like this it would never run afoul of the policy.
|
|
# ? Sep 23, 2022 02:26 |
|
I've wondered for awhile if you couldn't effectively DDoS a company by spamming logins to keep their employees perms-locked.
|
# ? Sep 23, 2022 03:34 |
|
Ynglaur posted:I've wondered for awhile if you couldn't effectively DDoS a company by spamming logins to keep their employees perms-locked. Probably if you could grab a complete list of login names and had enough proxys to rotate your ips so your ip doesnt get blacklisted before you finish locking the company and the rule was to hard lock accounts after x amount of tries instead of rate limiting attempts heavily. Edit: i feel like it might be essier to just use amplification attacks to blow a core router instead. Defenestrategy fucked around with this message at 04:20 on Sep 23, 2022 |
# ? Sep 23, 2022 04:17 |
|
You guys are missing the real strategy, not resetting on a successful login. My former employer would lock the account on the third failed attempt, spread over any length of time. Even months. And many of us worked second shift so I lost count of how many times I had to call them at 11pm while the production line was stopped waiting for me to get my password reset after a single typo. They were convinced this was absolutely necessary for some kind of federal regulation that they could not clearly explain.
|
# ? Sep 23, 2022 06:13 |
|
How the gently caress do you enforce strong passwords in Windows, beyond ticking the built-in crap Password Policy. Do you really have to roll your own DLL to check for special characters, etc?
|
# ? Sep 23, 2022 07:08 |
|
Just thinking abstractly about this, do you have an idea for handling arbitrary password complexity and rotation requirements that's better than "system administrator deploys a binary blob that does all the desired checks, the system delegates everything to that blob"?
|
# ? Sep 23, 2022 08:10 |
|
I really don't even give a poo poo about password complexity anymore unless its basically the only factor (lol) in protecting access. They become more irrelevant as time go on. I am tired of talking about them. I am tired of policies governing them. I am tired of them showing up in user education. Passwords are awful.
|
# ? Sep 23, 2022 08:24 |
|
Rust Martialis posted:How the gently caress do you enforce strong passwords in Windows, beyond ticking the built-in crap Password Policy. Do you really have to roll your own DLL to check for special characters, etc? If you have a hybrid setup you can use Azure AD Password Protection https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
|
# ? Sep 23, 2022 09:01 |
|
SlowBloke posted:If you have a hybrid setup you can use Azure AD Password Protection https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises Interesting. I would still need Azure AD, regrettably, which is basically a free GDPR breach if I put any data in it.
|
# ? Sep 23, 2022 09:14 |
|
Rust Martialis posted:Interesting. I would still need Azure AD, regrettably, which is basically a free GDPR breach if I put any data in it. It isn't? Azure AD on west-eu is perfectly fine GDPR wise.
|
# ? Sep 23, 2022 15:58 |
|
Rust Martialis posted:Interesting. I would still need Azure AD, regrettably, which is basically a free GDPR breach if I put any data in it. What are you talking about?
|
# ? Sep 23, 2022 16:07 |
|
SlowBloke posted:It isn't? Azure AD on west-eu is perfectly fine GDPR wise. There's a bit more grey area to it. Specifically, the data can still fall under the Patriot Act bullshit in USA as long as there is an American owner in the chain above the data center, which there is. I would argue that you could make a privacy impact assessment determining that the only pii you're risking is very low consequence for the data subjects, so who cares if the NSA or whoever get them, making it legal. But i am not a lawyer so I'm not sure it holds up in court.
|
# ? Sep 23, 2022 16:10 |
|
BonHair posted:There's a bit more grey area to it. Specifically, the data can still fall under the Patriot Act bullshit in USA as long as there is an American owner in the chain above the data center, which there is. That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe.
|
# ? Sep 23, 2022 16:13 |
|
CLAM DOWN posted:What are you talking about? Microsoft allows US-based staff access to data in the EU in Azure. They are subject to national security letters in the USA - they have a website to list how many they get, even. Go read Microsoft's privacy statement about trans-border data processing - they state they will use sub-proccessors anywhere globally they see fit. They have corporate rules and signed up for Privacy Shield, none of which suffice post-Schrems II. The EDPB has warned that you use cloud services at your own risk. In short, if you put data in Azure, anywhere in the world, the US government can access it. And Microsoft admits it. Allowing your personal data to be accessed from any country where data protection is not equivalent to GDPR is a breach.
|
# ? Sep 23, 2022 16:18 |
|
CLAM DOWN posted:That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe. Ask Microsoft to list all their sub-processors by location with access to your data. Hey look, Americans.
|
# ? Sep 23, 2022 16:21 |
|
This has come up a few times in this thread. So I have to ask: has any European government ever prosecuted a company for a GDPR infraction because data was stored on Azure? I mean, the Patriot Act basically says "gently caress your sovereignty, world", so a strict interpretation of GDPR basically amounts to, "You can't tell an American anything, ever." Which I suppose might be technically correct, but is it practically a prohibition?
|
# ? Sep 23, 2022 16:27 |
|
Rust Martialis posted:Microsoft allows US-based staff access to data in the EU in Azure. They are subject to national security letters in the USA - they have a website to list how many they get, even. Go read Microsoft's privacy statement about trans-border data processing - they state they will use sub-proccessors anywhere globally they see fit. They have corporate rules and signed up for Privacy Shield, none of which suffice post-Schrems II. The EDPB has warned that you use cloud services at your own risk. Don't know what to tell you. We do not fall under the Patriot Act.
|
# ? Sep 23, 2022 16:48 |
|
lmao the idea of someone trying to use the Patriot Act against a Canadian company in Azure.
|
# ? Sep 23, 2022 16:50 |
|
It’s not me personally that would get sued for using Azure AD and I sure as poo poo am not putting VMs in some third rate VPS provider.
|
# ? Sep 23, 2022 16:53 |
|
Ynglaur posted:This has come up a few times in this thread. So I have to ask: has any European government ever prosecuted a company for a GDPR infraction because data was stored on Azure? Datatilsynet's guidance is that if you use cloud, you must ensure supplementary measures to protect your data, but notes: quote:In this context, you should note that contractual and organisational measures will generally not quote:If you use a cloud service where the CSP needs to have access to the transferred
|
# ? Sep 23, 2022 17:00 |
|
CLAM DOWN posted:Don't know what to tell you. We do not fall under the Patriot Act. Where's your Cloud datacenter? Hint: Microsoft and AWS *are* subject.
|
# ? Sep 23, 2022 17:03 |
|
CommieGIR posted:NIST is being used as a general guideline now for Industry standards. It’s just seems wiser to use 800-171 then, as 53 is defense specific and it shows in places. It’s also growing a little long in the tooth.
|
# ? Sep 23, 2022 17:10 |
|
Rust Martialis posted:Where's your Cloud datacenter? Canada. Specifically, Toronto area.
|
# ? Sep 23, 2022 17:10 |
|
CLAM DOWN posted:Canada. Specifically, Toronto area. Oh, so no sub-processors outside Canada?
|
# ? Sep 23, 2022 17:12 |
|
|
# ? Apr 25, 2024 06:52 |
|
Rust Martialis posted:Oh, so no sub-processors outside Canada? No. That's the whole point of what I'm saying.
|
# ? Sep 23, 2022 17:16 |