PingDirectory

Unpredictable identifiers for server administrators

You can prevent online password guessing attacks by using unpredictable identifiers for users.

If an attacker doesn’t know the name of the account, then it’s another obstacle to overcome before they can authenticate as them.

An entry’s DN is the most common identifier used to authenticate, as it’s required for simple binds and is often used for SASL binds. For regular users, you should name accounts with the entryUUID attribute. However, this isn’t feasible for root users or topology administrators because the configuration framework requires these entries to use cn as the naming attribute. Further, many SASL mechanisms allow identifying users with a username, which is correlated to the associated entry using an identity mapper, so using an unpredictable DN might not be enough to sufficiently interfere with an attacker’s ability to target a server administrator.

The best way to obscure identifiers for root users and topology administrators is to choose unpredictable values for the cn attribute in their accounts and not include any predictable alternate bind DN values for those accounts. Although it is be possible to use randomly generated cn values, it should be sufficient to use more memorable strings as long as they aren’t something an attacker is likely to guess even if they know the identities of those administrators.