is there a way to detect if user is using same incorrect password in authentication
Brent Kimberley
Brent.Kimberley at Durham.ca
Sat Aug 10 07:33:40 EDT 2024
The definition of an argon salt is predicated on a nonce - number used once. Reusing the salt, changes the definition.
Net result. The overall security will degrade.
Cpu and disk load will increase. Your OpEx and CapEx demand will increase. Your contingency reseeve demand will increase. The quality of the data and logic will degrade. The revised security proof would need to be updated and peer reviewed. And, your historians will have more facts to play with...
________________________________
From: Kerberos <kerberos-bounces at mit.edu> on behalf of Ken Hornstein via Kerberos <kerberos at mit.edu>
Sent: Friday, August 9, 2024 9:03:01 PM
To: Jim Shi <hjshi at yahoo.com>
Cc: kerberos at mit.edu <kerberos at mit.edu>
Subject: Re: is there a way to detect if user is using same incorrect password in authentication
>Hi, we have a required to detect if a client is using same incorrect
>password in in authentication against KDC. Is it possible the KDC
>server can determine if client is using same incorrect password? Thanks
Ouch, is this some dang compliance requirement? I thought I had dealt with
SO MANY weird compliance issues, but that's a new one to me. I'm interested
in where this is coming from. If I understand you, it seems like you mean
that a single client is repeating the same incorrect pasword over and over.
If you mean that different clients are trying to use the the same incorrect
password, I don't believe that's possible (nor do I understand why that
would be a requirement). Upon further thought, this seems like a completely
ridiculous requirement and I cannot imagine why anyone would ask for it.
I _think_, in theory ... my first guess as to what you mean is possible.
But it won't be trivial. I believe you could accomplish this by using
encryped timestamp preauth, detecting when a wrong password is seen,
remembering that on the KDC, and then sending the same encrypted timestamp
back to the client upon further password requests and detecting if the
response was the same. That would be a lot of code and have issues if
the requests went to different KDCs. It's very possible I could be wrong
about that. And again, that only works with requests from the SAME client
due to password salting.
--Ken
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos<https://mailman.mit.edu/mailman/listinfo/kerberos>
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
More information about the Kerberos
mailing list