[Owasp-leaders] [Owasp-community] If a list was available of names and user IDs... Please complete

Bil Corry bil.corry at owasp.org
Tue May 16 16:02:32 UTC 2017

Often the network ID matches the employee's email address, e.g. network ID
is ybaker and email is ybaker at company.tld.  Since employees share their
first name, last name, and email address with external parties by virtue of
sending email (and in other ways, such as LinkedIn), and since most
companies adopt a standard method for creating the network ID, it wouldn't
be hard for an external attacker to scour LinkedIn for employees and guess
their network ID and email address.

Would a list help them?  With phishing yes, with brute forcing, not so
much.  An attacker is not going to brute force the entire company directory
all at once, so the attacker only needs five to ten network IDs, and a
means to try credentials that has poor velocity controls.

As far as sensitivity to the data, I wouldn't consider it sensitive unless
the network ID is something random for each employee, separate from their
email address and is kept secret.  But the company would be far better off
having known network IDs and instead employ 2FA for all logins.

- Bil

On Tue, May 9, 2017 at 7:53 AM, Yolanda Baker <yolybaker at gmail.com> wrote:

> I am formulating a test Q& A and need your expert opinion:  If an actor
> obtained a file containing first, last name, and network ID, would this be
> considered easy for brute force password cracking?
> Would you consider these combinations of fields sensitive corporate
> information requiring network ID to be masked from developers and third
> parties?
> Thanks for your reply,
> Yolanda Bsker
> --
> Sent from Gmail Mobile
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170516/78645d22/attachment.html>

More information about the OWASP-Leaders mailing list