Head in a blender

Lotus Notes HTTP passwords still need strength

Andy Pedisich  April 13 2010 09:35:43 AM
I just got a call last week about this.  Consider the following configuration:
1.        Password changes not enforced in Notes.
2.        Password complexity set way too easy.  Basically any 8 character word will do it.
3.        Name variations in security section of server document allows more variations  with lower security.

It's a perfect storm.
1.        Spammer launches attack against server trying just first names like Andy, Robert, Sales, Info, and Kate. Doesn't get a non-delivery report for kate@mycompany.com.
2.        Tries to authenticate to using KATE and a dictionary attack.
3.        In very short order, spammer determines that Kate's password is "summer".
4.        Authenticated account is allowed to relay through your server.
5.        Spammer starts sending out spam in Kate's name, 200 messages at a time, 100 recipients per message from some company that makes granite counter tops in Taiwan.
6.        Your server is on a DNS Blacklist.

It's just that easy. So, instead, set a Lotus Notes/Domino security policy to increase password complexity to a strength of 8 or higher.  Put a security document in place to force password changes regularly.  And change that Internet Authentication for fewer name variations. That will make the spammers use Kate's real name  (or at least one specifically listed in her person document) to authenticate.  Restart your stuff.

Now the only Kate that make it in will be Kate Gosselinowskiovitch using the password T!Ckl3M33lm0.  Spam over.

- Andy
Comments

1Ravi  4/13/2010 10:34:50 AM  Lotus Notes HTTP passwords still need strength

Also enabling "Enforce Internet Password Lockout" in the security tab of the configuration document of the server would be a good security measure.

2Andy Pedisich  4/13/2010 12:25:16 PM  Lotus Notes HTTP passwords still need strength

Agreed. I wanted to be brief yet effective.

Security settings are like eating peanuts. Once you start, you just can't seem to stop.

- Andy

3Lauri Laanti  4/15/2010 7:38:52 AM  Lotus Notes HTTP passwords still need strength

"Put a security document in place to force password changes regularly."

Just curious, why do you recommend that?

4Andy Pedisich  4/15/2010 2:20:16 PM  Lotus Notes HTTP passwords still need strength

If a user's password has been compromised, the malicious user will no longer be able to access resources by surreptitiously impersonating the user.

This is provided password checking is configured.

- Andy

5Chris Whisonant  4/15/2010 3:57:25 PM  Lotus Notes HTTP passwords still need strength

Good tips. Also, from People view run the "Upgrade to more secure internet password" (changes the hash option) and set this in the Directory Profile document.

6Andy Pedisich  4/15/2010 4:01:20 PM  Lotus Notes HTTP passwords still need strength

That is a subject unto itself that I have carried on about many, many times.

- Andy

7Lauri Laanti  4/16/2010 2:15:45 AM  Lotus Notes HTTP passwords still need strength

"If a user's password has been compromised, the malicious user will no longer be able to access resources by surreptitiously impersonating the user."

That is true. However, if you specify e.g. 30 days period (quite strict IMHO), the spammer can continue for 15 days (on average) before having to re-crack the user account. I would imagine that the DNS blacklisting would occur and be noticed long before that.

This policy is quite a common recommendation, however I am of the opinion that it is actually detrimental to security. Most users:

a) use the same password and append a running number (like summer01 in your example). Re-cracking is not too hard...

b) write the password on a post-it note on their monitor (!)

It provides false sense of security (the password is not stronger because it has been changed). If an account has been compromised, it would be better to notice it and remedy the situation than to rely on it "fixing itself" every 30 (or whatever) days.

(I'm sorry; this is actually a pet peeve of mine. I totally agree with the rest of the post, good policies.)

-Lauri

8Andy Pedisich  4/16/2010 10:28:50 AM  Lotus Notes HTTP passwords still need strength

Thaks for the input. But I think no one would use an account where they knew the password was compromised. What would be the point?

- Andy

"Test"