What defensive measures will you take to protect from password brute-force attacks?

S

Starriol

Limp Gawd
Joined
Jan 3, 2006
Messages
191
I was asked this on a test for the CEH. What would you answer? My own answer is at the bottom.

What defensive measures will you take to protect your network from password brute-force attacks? (Choose all that apply.)

A) Never leave a default password.

B) Never use a password that can be found in a dictionary.

C) Never use a password related to the hostname, domain name, or anything else that can be found with Whois.

D) Never use a password related to your hobbies, pets, relatives, or date of birth.

E) Use a word that has more than 21 characters from a dictionary as the password.

What do you say? For me, if you are strict, the first 4 cannot be true since they would protect specifically from dictionary attacks, not brute force. The last one would surely protect you from a brute force attack, because even when using only lower case letters for the password, it would take TRILLONS of years to compute all the combinations.

But, guess what? The correct answer is to select all the first 4!!! WTF???
The justification is: "A dictionary word can always be broken using brute force"

What do you think?
 
Option E is still a dictionary word. It would be cracked in moments by a brute force attempt. Remember that most brute force programs will go through the dictionary first unless told otherwise.
 
1) Don't take your password to the bottom of your keyboard

No matter what steps you take, users will always do stupid crap
 
k1pp3r said:
1) Don't take your password to the bottom of your keyboard

No matter what steps you take, users will always do stupid crap
Click to expand...
True story, I had a user tape the password to the ceiling above their cube. I have to give them credit for at least being inventive.

As far as protecting from brute-force; you limit the number of times someone can attempt an auth. None of those answers are correct because they don't account for things like rainbow tables and the like. But if you only have 3 times to enter your password before the account is locked, then that will effectively shutdown the attempts.
 
XOR != OR said:
True story, I had a user tape the password to the ceiling above their cube. I have to give them credit for at least being inventive.
Click to expand...

Inventive ones are always the funniests. I had a guy who decided to put it into a box with a biometric lock, but he used his buddy's fingerprint instead of his own. :p He thought it'd be more secure that way, until his friend went on vacation to another continent and he forgot his password. :rolleyes:
 
I tape my phone password on the phone under the handset. The only reason we have them is someone figured how to hack into the system and make long distance calls. Scum is infinitely creative.
 
Not to hijack this thread or hurt anyone's feelings, but I've heard from a few engineers now that the C|EH is a joke. Maybe Security+ or CCNA Security would be a better route for aspiring security admins?
 
IMG_1364.jpg
 
Given a length of time, any password can be brute forced, the best way is to limit the only thing you have control over, time. As stated above, the only thing you can really do is put a time out lock on consecutive errors, even better, require an IT to unlock a locked account.
 
Nanan said:
Given a length of time, any password can be brute forced, the best way is to limit the only thing you have control over, time. As stated above, the only thing you can really do is put a time out lock on consecutive errors, even better, require an IT to unlock a locked account.
Click to expand...

That is human side, still.

Better, IMO, to have an automatic system that requires a 2 second wait before the next password attempt... reguardless if it is the first, or 15th try. After about 15, then add a 1min wait timer. Brute force basically crawls at that point, if it even can do so, especially with longer passwords.

And password? Just make a 13375p34k_53n74nc3_101.
 
In the context of the question, which you shouldn't be thinking of anything but in that context anyway, those answers are correct. I don't see what the big deal is. Are those the only methods? No, but are the other methods listed there? Nope don't see them. Move on.
 
QHalo said:
In the context of the question, which you shouldn't be thinking of anything but in that context anyway, those answers are correct. I don't see what the big deal is. Are those the only methods? No, but are the other methods listed there? Nope don't see them. Move on.
Click to expand...

+1

Haha... can't do a simple +1 anymore... the reply has to be at least 3 characters....
 
QHalo said:
In the context of the question, which you shouldn't be thinking of anything but in that context anyway, those answers are correct. I don't see what the big deal is. Are those the only methods? No, but are the other methods listed there? Nope don't see them. Move on.
Click to expand...
Perhaps, but others had already fielded the answers. The original question had false assumptions, and if we do nothing else on this forum, we "ValueAdd". :)
 
Old school people consider dictionary attacks as brute force... your teacher is probably an older gentleman correct?


IMO the definitions overlap.
 
Brute-force means you're trying multiple attempts at trying to crack the password. A dictionary attack is a subset of brute-force methods, therefore, answer E is correct. Any dictionary word is vulnerable to brute-force methods provided you have a good wordlist.
 
Regardless of how you feel about whether dictionary attacks are brute force or not, A, C and D all protect against targeted attacks, not automated brute force methods of either kind. If their answer included those, I would say it is either a poorly worded question for a test (where precision in both the question and answer is required), or just plain wrong.

And I still think that poorly written test questions are the reason a lot of smart people fail certification tests and stupid ones pass them. If your reading comprehension is good and you actually think about the question, sometimes this kind of imprecise terminology and so on can really trip you up, while if you're just reciting what you read in the book, you'll check the boxes that were listed in the book and do fine. I hate all the certification tests I've taken. They're all about figuring out what answer they want, not what answer is correct.
 
You must log in or register to reply here.
Back
Top