The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility. -- -ashley Did you try poking at it with a stick?
On Mon, 31 Jul 2006, Ashley Gould wrote:
The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility.
Is pam_pwcheck available? Then just read the corresponding README. Best regards Henning Hucke -- The person who makes no mistakes does not usually make anything.
Thanks. I missed that one before: "remember=XX" -> remember the last XX number of passwords and don't allow the user to use it again for the next XX password changes. XX is a number between 1 and 400. On Mon, Jul 31, 2006 at 11:19:49PM +0200, Henning Hucke wrote:
On Mon, 31 Jul 2006, Ashley Gould wrote:
The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility.
Is pam_pwcheck available? Then just read the corresponding README.
Best regards Henning Hucke -- The person who makes no mistakes does not usually make anything.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -ashley Did you try poking at it with a stick?
On Tue, 1 Aug 2006 06:57 am, Ashley Gould wrote:
The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility.
At work they change passwords every 3 months with 8 previous passwords remembered. This guarantees that everyone's password ends in a digit. Setting more than 9 will ensure 2 digits... ;^) -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.
Ashley Gould wrote:
The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility.
Others have pointed out the technical methods, but honestly, I would suggest to you that policy is unwise. Security is as much a human issue as technical. In my experience, forcing people to keep changing passwords has one single effect: People will write them down. I would much prefer for someone to have a password they can remember that never changes than having passwords written all over postit notes. Think about what you gain from changing passwords and measure it against what you lose by having passwords written down all over the place. The problem is password leakage. If a password falls into the wrong hands, your security is breached. But what causes passwords to fall into the wrong hands? What about changing passwords at intervals will prevent leakage? Not much. Think about it. Nearly all avenues of password leakage are current, so changing it every month or 3 months is really irrelevant. As soon as the perp has the password, he's in and the damage is done. Changing the password next month won't do any good. Dictionary attacks and whatnot are equally irrelevant to password changes, they don't take a month to perform, so the chances of you changing your password in mid-attack are unlikely. Making your users' lives simpler has a much greater beneficial effect on security. The more hoops they have to jump through, the greater the chance that they will simply circumvent the procedure.
On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down.
I was hoping someone would point that out. One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern. http://www.rsasecurity.com/press_release.asp?doc_id=6095 http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ http://it.slashdot.org/article.pl?sid=05/09/27/1935210&from=rss -- _____________________________________ John Andersen
Yes, a longer password is much harder to break than a shorter one! The reason that you change password on a regular basis is to prevent a compromised password from being effective forever. -----Original Message----- From: John Andersen [mailto:jsa@pen.homeip.net] Sent: Monday, July 31, 2006 10:34 PM To: suse-security@suse.com Subject: Re: [suse-security] password memory On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down.
I was hoping someone would point that out. One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern. http://www.rsasecurity.com/press_release.asp?doc_id=6095 http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ http://it.slashdot.org/article.pl?sid=05/09/27/1935210&from=rss -- _____________________________________ John Andersen
Badger, Shawn wrote:
The reason that you change password on a regular basis is to prevent a compromised password from being effective forever.
But is that really worthwhile? As soon as a password is compromised, the damage is done. I find the idea that an attacker is going to get a password, then wait weeks or months to use it rather odd. They're more likely to use it right away. Weigh the unlikely lackadaisical attacker with the rather hefty problem of people writing their passwords on post-it notes where anyone can see them...
On Tue, Aug 01, 2006 at 11:15:09AM -0400, suse@rio.vg wrote:
Badger, Shawn wrote:
The reason that you change password on a regular basis is to prevent a compromised password from being effective forever.
But is that really worthwhile? As soon as a password is compromised, the damage is done. I find the idea that an attacker is going to get a password, then wait weeks or months to use it rather odd. They're more likely to use it right away.
For an external "techy" attacker that may be true. But changing passwords regularly may help against snooping co-workers that saw you typing a password while looking over your shoulder. Is it wortwhile? For me it's no burden to change my password from time to time. I have no problem with remembering R%anc!BhouseaL after typing it a few times. For others that don't have to remember dozens of passwords anyway it may be harder and they may write their password down and defeat your whole password policy. marc
Marc Samendinger schrieb:
On Tue, Aug 01, 2006 at 11:15:09AM -0400, suse@rio.vg wrote:
Badger, Shawn wrote:
The reason that you change password on a regular basis is to prevent a compromised password from being effective forever.
But is that really worthwhile? As soon as a password is compromised, the damage is done. I find the idea that an attacker is going to get a password, then wait weeks or months to use it rather odd. They're more likely to use it right away.
For an external "techy" attacker that may be true. But changing passwords regularly may help against snooping co-workers that saw you typing a password while looking over your shoulder.
Is it wortwhile? For me it's no burden to change my password from time to time. I have no problem with remembering R%anc!BhouseaL after typing it a few times. For others that don't have to remember dozens of passwords anyway it may be harder and they may write their password down and defeat your whole password policy.
I think it should be no problem for the average employee to remember two or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords, passwords to access certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the password if I was asked for it) but the others... If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough. So, we're down to a social problem again: if people literally switch-off their brains during work, no technical hurdle will prevent them from doing something stupid. Social problems have no technical (or even judicial) solution. cheers, Rainer
Rainer Duffner wrote:
I think it should be no problem for the average employee to remember two or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords, passwords to access certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the password if I was asked for it) but the others...
If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough.
So, we're down to a social problem again: if people literally switch-off their brains during work, no technical hurdle will prevent them from doing something stupid. Social problems have no technical (or even judicial) solution.
You're thinking like a tech. You CARE about security. Frankly, the vast majority of your coworkers probably DON'T. They don't see it as their job to make sure the network/servers are secure. They view security measures as an impediment to getting their own work done. At any time, if they think they can get work done faster/easier by going around your security, they will. Your employees see you as Mordac, Preventer of Information Services from the Dilbert strip http://en.wikipedia.org/wiki/Mordac#Mordac Can these people remember highly secure passwords? Sure. But they don't want to. They have other things to worry about. Your salesman would rather be brushing up on his latest sales pitch or putting more oil in his hair, rather than work on committing passwords to memory. Your analysts are trying to keep data from a dozen different sources straight in their head to make proper projections. The secretaries would rather be chatting on the phone with whomever they seem to chat on the phone with all day. And the executives are lucky enough if they can find the power switch after coming back from their martini lunches. The point is that none of these people view security the way you do. To you, it's an essential part of the network and a vital part of your job. To them, it's taking up time in their day when they could be getting their own work done. The idea that security is everyone's responsibility has not sunk in. This is why people will blithely give up their passwords; They simply don't care. The key to good security, imho, is to make your workers lives as simple as possible. They less annoying you are to them, the more likely they are to work with you, rather than around you. This is why I like passphrases. They're more secure than simple words, but are far easier to remember and type than the "must be 8 characters and include at least two numbers, different capitalization, a special character, and must not contain a word, word fragement, or backwards word." (Yes, I've been at a place that had that policy) And, as you've pointed out, it's far more likely that the password leak is from the user telling someone their password than from an actual dictionary attack.
i want go out of list!!!!!!!!!!!!!!!!!!!!!!! Maruja Gómez Flores Dpto. de Sistemas ESTUDIO CABALLERO BUSTAMANTE www.caballerobustamante.com.pe ----- Original Message ----- From: <suse@rio.vg> To: <suse-security@suse.com> Sent: Wednesday, August 02, 2006 9:40 AM Subject: Re: SPAM: Re: [suse-security] password memory
Rainer Duffner wrote:
I think it should be no problem for the average employee to remember two or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords, passwords to access certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the password if I was asked for it) but the others...
If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough.
So, we're down to a social problem again: if people literally switch-off their brains during work, no technical hurdle will prevent them from doing something stupid. Social problems have no technical (or even judicial) solution.
You're thinking like a tech. You CARE about security. Frankly, the vast majority of your coworkers probably DON'T. They don't see it as their job to make sure the network/servers are secure. They view security measures as an impediment to getting their own work done. At any time, if they think they can get work done faster/easier by going around your security, they will.
Your employees see you as Mordac, Preventer of Information Services from the Dilbert strip http://en.wikipedia.org/wiki/Mordac#Mordac
Can these people remember highly secure passwords? Sure. But they don't want to. They have other things to worry about. Your salesman would rather be brushing up on his latest sales pitch or putting more oil in his hair, rather than work on committing passwords to memory. Your analysts are trying to keep data from a dozen different sources straight in their head to make proper projections. The secretaries would rather be chatting on the phone with whomever they seem to chat on the phone with all day. And the executives are lucky enough if they can find the power switch after coming back from their martini lunches.
The point is that none of these people view security the way you do. To you, it's an essential part of the network and a vital part of your job. To them, it's taking up time in their day when they could be getting their own work done. The idea that security is everyone's responsibility has not sunk in. This is why people will blithely give up their passwords; They simply don't care.
The key to good security, imho, is to make your workers lives as simple as possible. They less annoying you are to them, the more likely they are to work with you, rather than around you.
This is why I like passphrases. They're more secure than simple words, but are far easier to remember and type than the "must be 8 characters and include at least two numbers, different capitalization, a special character, and must not contain a word, word fragement, or backwards word." (Yes, I've been at a place that had that policy) And, as you've pointed out, it's far more likely that the password leak is from the user telling someone their password than from an actual dictionary attack.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I can understand this response ;-} ---- D.S. Hodgson - different perspectives
-----Original Message----- From: Maruja Gomez [mailto:mgomez@caballerobustamante.com.pe] Sent: Wednesday, August 02, 2006 5:10 PM To: suse@rio.vg; suse-security@suse.com Subject: Re: SPAM: Re: [suse-security] password memory
i want go out of list!!!!!!!!!!!!!!!!!!!!!!!
Maruja Gómez Flores Dpto. de Sistemas ESTUDIO CABALLERO BUSTAMANTE www.caballerobustamante.com.pe ----- Original Message ----- From: <suse@rio.vg> To: <suse-security@suse.com> Sent: Wednesday, August 02, 2006 9:40 AM Subject: Re: SPAM: Re: [suse-security] password memory
Rainer Duffner wrote:
I think it should be no problem for the average employee
or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords,
certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the
was asked for it) but the others...
If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough.
So, we're down to a social problem again: if people
their brains during work, no technical hurdle will
to remember two passwords to access password if I literally switch-off prevent them from
doing something stupid. Social problems have no technical (or even judicial) solution.
You're thinking like a tech. You CARE about security. Frankly, the vast majority of your coworkers probably DON'T. They don't see it as their job to make sure the network/servers are secure. They view security measures as an impediment to getting their own work done. At any time, if they think they can get work done faster/easier by going around your security, they will.
Your employees see you as Mordac, Preventer of Information Services from the Dilbert strip http://en.wikipedia.org/wiki/Mordac#Mordac
Can these people remember highly secure passwords? Sure. But they don't want to. They have other things to worry about. Your salesman would rather be brushing up on his latest sales pitch or putting more oil in his hair, rather than work on committing passwords to memory. Your analysts are trying to keep data from a dozen different sources straight in their head to make proper projections. The secretaries would rather be chatting on the phone with whomever they seem to chat on the phone with all day. And the executives are lucky enough if they can find the power switch after coming back from their martini lunches.
The point is that none of these people view security the way you do. To you, it's an essential part of the network and a vital part of your job. To them, it's taking up time in their day when they could be getting their own work done. The idea that security is everyone's responsibility has not sunk in. This is why people will blithely give up their passwords; They simply don't care.
The key to good security, imho, is to make your workers lives as simple as possible. They less annoying you are to them, the more likely they are to work with you, rather than around you.
This is why I like passphrases. They're more secure than simple words, but are far easier to remember and type than the "must be 8 characters and include at least two numbers, different capitalization, a special character, and must not contain a word, word fragement, or backwards word." (Yes, I've been at a place that had that policy) And, as you've pointed out, it's far more likely that the password leak is from the user telling someone their password than from an actual dictionary attack.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
John Andersen wrote:
On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down.
I was hoping someone would point that out.
One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern.
Even one step better is the idea of "passphrases" rather than passwords. It's much easier for someone to remember a simple phrase than "k4M3.HhZ". If you have, for instance, someone enamored of a certain Chicago sports team, their passphrase could be "Da'Bears are Da'Bestest!" If someone has a poor memory for things, have them pick something that rhymes or a mnemonic. To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Tuesday 01 August 2006 17:09 schrieb suse@rio.vg:
Even one step better is the idea of "passphrases" rather than passwords. It's much easier for someone to remember a simple phrase than "k4M3.HhZ". If you have, for instance, someone enamored of a certain Chicago sports team, their passphrase could be "Da'Bears are Da'Bestest!" If someone has a poor memory for things, have them pick something that rhymes or a mnemonic.
In principle, that's a good advice, but most people, besides not beeing able to spell correctly (or even incorrectly), can't remember HOW they misspelled their passphrase. The end is: they write it down. But using a phrase, or the first letters of all the words in this phrase or something equally irritating ;), seems to be the better choice (better as to make them change their pwd every so often)
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
Here I must contradict you: about every two to three weeks some machine or other starts dict attacks on any number of my firewalls. The logs are full of "unknown user" and "wrong password" lines in rapid succession. Greetings from Vienna Wolfgang -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFEz3Eauy/zMYT9EqkRAq9/AJ4sH/aqEJF/x0GO44T+jfSTvWILGACfdsXt JaW4Y3YzO/U7ugegZEcoBAU= =sR6p -----END PGP SIGNATURE-----
Wolfgang Leithner wrote:
Am Tuesday 01 August 2006 17:09 schrieb suse@rio.vg:
In principle, that's a good advice, but most people, besides not beeing able to spell correctly (or even incorrectly), can't remember HOW they misspelled their passphrase. The end is: they write it down. But using a phrase, or the first letters of all the words in this phrase or something equally irritating ;), seems to be the better choice (better as to make them change their pwd every so often)
Well, just spell the passphrase correctly. What wrong with that? My Bears example may have been a bit culture-centric to here in the States. For someone who likes Edgar Allan Poe, you could have "Quoth the Raven, Nevermore" or someone who liked Moby Dick "Call me Ishmael.". Or for someone who likes American Idol: "Simon is a real Jerk!" Or for a classical musician: "A Flute Player is a Flautist" (which I found out recently) The key is for the user to come up with it themselves, or at least tailor it to them. If someone speaks another language, use that. With a highly variable number of characters, dictionary attacks become exponentially more difficult, even if you stick to fairly straghtforward language. Rather than go for numbers, I'll try to include a word that is rare or at least uncommon, and capitalization that is natural, but difficult for a computer to guess, and throw in a punctuation somewhere for good measure.
Here I must contradict you: about every two to three weeks some machine or other starts dict attacks on any number of my firewalls. The logs are full of "unknown user" and "wrong password" lines in rapid succession.
Oh, yes, I get those every day. However, look at them more closely. I haven't had a single case in several years where the same username was tried over and over. They'll knock on the ssh port trying a whole bunch of usernames, but only one or two passwords, and usually no password at all.
suse@rio.vg schrieb:
Oh, yes, I get those every day. However, look at them more closely. I haven't had a single case in several years where the same username was tried over and over. They'll knock on the ssh port trying a whole bunch of usernames, but only one or two passwords, and usually no password at all.
I can confirm this, their dictionaries are normally < 50 words, the most I've seen lately are about 200 entries from one IP.
Ralf Ronneburger wrote:
suse@rio.vg schrieb:
Oh, yes, I get those every day. However, look at them more closely. I haven't had a single case in several years where the same username was tried over and over. They'll knock on the ssh port trying a whole bunch of usernames, but only one or two passwords, and usually no password at all.
I can confirm this, their dictionaries are normally < 50 words, the most I've seen lately are about 200 entries from one IP. DenyHosts is your friend in those situations, It will block the kiddie in 30 seconds and reduce the number of log entries.
/Ingvar
suse@rio.vg wrote:
John Andersen wrote:
On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down. I was hoping someone would point that out.
One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern.
Even one step better is the idea of "passphrases" rather than passwords. It's much easier for someone to remember a simple phrase than "k4M3.HhZ". If you have, for instance, someone enamored of a certain Chicago sports team, their passphrase could be "Da'Bears are Da'Bestest!" If someone has a poor memory for things, have them pick something that rhymes or a mnemonic.
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password: There are 11 players on a football team and 9 on a baseball team. Ta11poafta9oabt.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
I'd say that's just a very small dictionary they're working from. :) -- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin
Geoffrey wrote:
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
It's clever and nifty but users hate it. You see, it means that every time they type in their password, they have to think about it, and will frequently make typing errors, increasing frustration as they run through it constantly wondering if they maybe missed a letter or mistyped, since they can't see what they're typing. For a tech, it's a good system, for the average user, they hate it. This comes back to the initial problem: Security is a human issue. The more difficult/time consuming/annoying for the user, the better the chance that it will simply be circumvented.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
I'd say that's just a very small dictionary they're working from. :)
Vocabulary isn't their strong point. :)
suse@rio.vg wrote:
Geoffrey wrote:
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
It's clever and nifty but users hate it. You see, it means that every time they type in their password, they have to think about it, and will frequently make typing errors, increasing frustration as they run through it constantly wondering if they maybe missed a letter or mistyped, since they can't see what they're typing. For a tech, it's a good system, for the average user, they hate it.
Then they should get over it. Come on, it's not all that difficult. If you're going to have a long password, it's best to have a way to remember. My 15 year old daughter uses this approach and if she can do it, I'd suggest any adult should. Let's face it, there's not an easy way of forcing good passwords. Create a policy that works, even if it's a bit painful. That's certainly better then the sticky note approach, or the password is their dog's name solution.
This comes back to the initial problem: Security is a human issue. The more difficult/time consuming/annoying for the user, the better the chance that it will simply be circumvented.
Agreed, but I don't see the above solution near as difficult as forced password changes or other solutions proposed. This, I see at least workable. That is, they'll complain, but they'll get used to it.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest") I'd say that's just a very small dictionary they're working from. :)
Vocabulary isn't their strong point. :)
-- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin
On Tuesday 01 August 2006 07:34, Geoffrey wrote:
Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
What's he talking about? BTFOM. -- _____________________________________ John Andersen
John Andersen wrote:
On Tuesday 01 August 2006 07:34, Geoffrey wrote:
Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
What's he talking about?
BTFOM.
Substitutions as in a number one for the lowercase 'l', a zero for the lower case 'o', the number 5 for the lowercase 's'. I didn't do any in the above example because of the numbers that already existed in the phrase. Point is, it's hard for anyone to remember a long password unless it's something simple, say, their name. With the above approach anyone can remember a phrase that makes sense to them. Even if their spelling is incorrect, if they are consistent, it still works. -- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin
On 8/2/06, Geoffrey <esoteric@3times25.net> wrote:
John Andersen wrote:
On Tuesday 01 August 2006 07:34, Geoffrey wrote:
Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
What's he talking about?
BTFOM.
Substitutions as in a number one for the lowercase 'l', a zero for the lower case 'o', the number 5 for the lowercase 's'. I didn't do any in the above example because of the numbers that already existed in the phrase.
Point is, it's hard for anyone to remember a long password unless it's something simple, say, their name. With the above approach anyone can remember a phrase that makes sense to them. Even if their spelling is incorrect, if they are consistent, it still works.
-- Until later, Geoffrey
I think alot of the people here are missing the point. The key to password management is finding the most secure policy without introducing further insecurities -- such as personnel writing downward passwords. This is not to say that password policies are not effective ... just that the policy must take into consideration the training personnel have with regards to computer/network security, the value of the data and/or systems being protected, and any environmental concerns such as business culture. A complete disregard for implementation of some type of security policy is a fatal mistake. You just have to find that "sweet spot" where you get the good without presenting more bad. Geoffrey's implementation may not be perfect for every scenario or environment; however it is a good start. ;) Thomas
Thomas Jones wrote:
Geoffrey's implementation may not be perfect for every scenario or environment; however it is a good start. ;)
I agree, it's not perfect, but my 15 year old daughter uses it, because the security geek in the house says she will. If she can, I have no doubt any adult in a corporate environment can. They just need the right incentive. I would like to say that another huge aspect of the problem is that non-tech management does not place enough (any?) emphasis on computer/network security. They're just like everyone else. They want it secure, but they want it easy and painless. Look, it doesn't happen. When you get in a car, you have to have your key, put on your seatbelt, stop at stop signs and so on. We've all adapted to those issues. We all need to adapt to computer security solutions. That point is not getting across from the right people. -- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin
Am Dienstag, 1. August 2006 17:09 schrieb suse@rio.vg:
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
..which can be easily circumvented by relocating sshd to another port. Pete
On Tue, 1 Aug 2006, Hans-Peter Jansen wrote:
Am Dienstag, 1. August 2006 17:09 schrieb suse@rio.vg:
[...]
..which can be easily circumvented by relocating sshd to another port.
Security by obscurity. I thought that this approach to "security" already vanished from the screen of security aware people a long time ago. Moving services away from their standard port solves _no_ scurity problem at all but raises - sometimes tricky - problems running the services themselfs. Regards Henning Hucke -- Will Rogers never met you.
Am Dienstag, 1. August 2006 20:13 schrieb Henning Hucke:
On Tue, 1 Aug 2006, Hans-Peter Jansen wrote:
Am Dienstag, 1. August 2006 17:09 schrieb suse@rio.vg:
[...]
..which can be easily circumvented by relocating sshd to another port.
Security by obscurity. I thought that this approach to "security" already vanished from the screen of security aware people a long time ago.
Moving services away from their standard port solves _no_ scurity problem at all but raises - sometimes tricky - problems running the services themselfs.
I know, I don't solve any security problem, just spare a few boring syslog entries courtesy of some trolls.. Real attacks are a complete different story though! Pete
participants (16)
-
Administrator -
Ashley Gould -
Badger, Shawn -
Geoffrey -
Hans-Peter Jansen -
Henning Hucke -
Ingvar Berg -
John Andersen -
Marc Samendinger -
Maruja Gomez -
Michael James -
Rainer Duffner -
Ralf Ronneburger -
suse@rio.vg -
Thomas Jones -
Wolfgang Leithner