[Owasp-leaders] [Owasp-community] If a list was available of names and user IDs... Please complete

Patrick Laverty patrick.laverty at owasp.org
Tue May 16 19:56:06 UTC 2017

Responding inline.

On May 16, 2017 12:03 PM, "Bil Corry" <bil.corry at owasp.org> wrote:

it wouldn't be hard for an external attacker to scour LinkedIn for
employees and guess their network ID and email address.

True, and this is exactly what malicious actors do. Or a site like data.com.
Or if there is an exposed system that can easily validate usernames (ie.
OWA), it can go one step further and use lists of common last names, and
brute the first initial, ie. asmith, bsmith, csmith...

Would a list help them?  With phishing yes, with brute forcing, not so
much.  An attacker is not going to brute force the entire company directory
all at once,

Sometimes this happens. Many companies use a default password for new users
and password resets. And users are fond of weak passwords. Companies also
often have a 90 day pw cjange policy which aligns to seasons, so a very
common password is <Season><Year>!  This meets most complexity guidelines
to have a password of Summer2017!  If a company prevents dictionary words,
that does help. But attackers do know these common passwords too. With a
large user list, the attacker can easily stay under rate controls by trying
1 user at a time. IP controls would be a different story.

As far as sensitivity to the data, I wouldn't consider it sensitive unless
the network ID is something random for each employee, separate from their
email address and is kept secret.  But the company would be far better off
having known network IDs and instead employ 2FA for all logins.

Agreed 100%. 2FA stops a lot of problems, but also ensure all accounts
enable 2FA, or else the attacker might.

So to the original question,  my answer would be, "it depends".

Patrick in Rhode Island

On Tue, May 9, 2017 at 7:53 AM, Yolanda Baker <yolybaker at gmail.com> wrote:

> I am formulating a test Q& A and need your expert opinion:  If an actor
> obtained a file containing first, last name, and network ID, would this be
> considered easy for brute force password cracking?
> Would you consider these combinations of fields sensitive corporate
> information requiring network ID to be masked from developers and third
> parties?
> Thanks for your reply,
> Yolanda Bsker
> --
> Sent from Gmail Mobile
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170516/5a409be1/attachment.html>

More information about the OWASP-Leaders mailing list