On 2013 Apr 5, at 21:28 , Robert Hajime Lanning wrote: > On 04/05/13 17:36, Edward Ned Harvey (lopser) wrote: >> I believe radius only handles password authentication. If you have a cert >> infrastructure, it's best to use cert first and username/password only as a >> second factor. >> >> Even if you have a 9-char long password full of complex mix caps and >> symbols, a brute force attack can crack that in days. If you want security, >> you really need to go for certs. >> >> A lot of people don't really care about security though. ;-) > > Then why everywhere I go that uses things like a RADIUS gateway to AD, my > account gets locked after 3 failed attempts?
Because they don't care about security. Auto-locking accounts creates a denial of service vulnerability. It becomes trivial to lock out (and keep locked out) any administrator account, or more sensitive accounts like database and application accounts. Real security involves actually securing the host, rather than ignoring it. (I've been on this soapbox many times before, so I won't repeat myself, much.) Disable unused accounts, don't just set a "strong" password. If an account can be remotely logged into and execute arbitrary command, but more than one user has the ability to look up the authentication credentials, then that account has no individual accountability and is a weak point on your system. Even more so if it has any privileges beyond regular user. (One of the worst examples is credentialed scanning that wants unlimited root access via passwordless sudo). But on the flip side, the first rule of computer security comes in as well, "Don't have a computer." (There's no such thing as 100% security.) What, you wanted me an easy answer? ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
