[opensuse] Password Requirements
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. I also need to keep a history of their last 10 passwords. There doesn't seem to be a way to do this with YAST. I've tried adding pam_cracklib to the common-password file but now it immediately says the password has been used before. What is the correct what to configure these requirements? Here is what I have in my common-password file: password required pam_pwcheck.so nullok debug password requisite pam_cracklib.so retry=3 minlen=9 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 difok=1 use_authtok debug password required pam_unix2.so nullok use_first_pass use_authtok debug -- Nobody get out of this life alive. That said, worry less. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 20 May 2008 15:01:13 Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. I also need to keep a history of their last 10 passwords.
There doesn't seem to be a way to do this with YAST.
I've tried adding pam_cracklib to the common-password file but now it immediately says the password has been used before.
I'm guessing you have "remember=" set in /etc/security/pam_pwcheck.conf pam_cracklib.so will always check for old passwords. If you also have it set in pam_pwcheck, pam_cracklib will always flag a password as old, since the two modules both use opasswd as storage for old passwords So try removing remember= from pam_pwcheck.conf Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 20 May 2008 15:01:13 Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. I also need to keep a history of their last 10 passwords.
There doesn't seem to be a way to do this with YAST.
I've tried adding pam_cracklib to the common-password file but now it immediately says the password has been used before.
I'm guessing you have "remember=" set in /etc/security/pam_pwcheck.conf
pam_cracklib.so will always check for old passwords. If you also have it set in pam_pwcheck, pam_cracklib will always flag a password as old, since
On Tue, 20 May 2008 21:54:07 +0200, Anders Johansson <ajh@rydsbo.net> wrote: the
two modules both use opasswd as storage for old passwords
So try removing remember= from pam_pwcheck.conf
If I remove the remember= from pam_pwcheck.conf then the opasswd file never gets updated.
Anders
-- Nobody get out of this life alive. That said, worry less. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 20 May 2008 22:10:27 Jeremy Leonard wrote:
If I remove the remember= from pam_pwcheck.conf then the opasswd file never gets updated.
Correct. Forgot that cracklib only reads. You need to change the order of the checks. This works password required pam_cracklib.so retry=3 minlen=9 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 difok=1 debug password requisite pam_pwcheck.so nullok use_authtok password required pam_unix2.so nullok use_authtok but oh dear is it annoying to find a password it will accept :) Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 20 May 2008 22:51:15 +0200, Anders Johansson <ajh@rydsbo.net> wrote:
On Tuesday 20 May 2008 22:10:27 Jeremy Leonard wrote:
If I remove the remember= from pam_pwcheck.conf then the opasswd file never gets updated.
Correct. Forgot that cracklib only reads. You need to change the order of the checks. This works
password required pam_cracklib.so retry=3 minlen=9 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 difok=1 debug password requisite pam_pwcheck.so nullok use_authtok password required pam_unix2.so nullok use_authtok
With it configured as above history works correctly. But it doesn't enforce the cracklib stuff. It also asks for the new password then the old password It says the password was updated successfully then is says the update failed. The password is changed though.
but oh dear is it annoying to find a password it will accept :)
Anders
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 20 May 2008 23:03:42 Jeremy Leonard wrote:
With it configured as above history works correctly. But it doesn't enforce the cracklib stuff.
It also asks for the new password then the old password It says the password was updated successfully then is says the update failed. The password is changed though.
It works for me on 10.3, and it does enforce the cracklib requirements, which is why I said it was very hard to find a password it would accept What version of suse are you doing this on? Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 20 May 2008 23:10:10 +0200, Anders Johansson <ajh@rydsbo.net> wrote:
On Tuesday 20 May 2008 23:03:42 Jeremy Leonard wrote:
With it configured as above history works correctly. But it doesn't enforce the cracklib stuff.
It also asks for the new password then the old password It says the password was updated successfully then is says the update failed. The password is changed though.
It works for me on 10.3, and it does enforce the cracklib requirements, which is why I said it was very hard to find a password it would accept
What version of suse are you doing this on?
SLES 10SP1 These password settings are required by the federal government for DIACAP. We have an audit starting this weekend.
Anders
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers.
Wow....what's this for? Sounds like it would be a royal pain in the posterior.... Why so many special requirements? Isn't it more important for a user to have an unbreakable or unguessable password than to meet certain criteria of characters? Tell users just to use a "passphrase" instead of a password...and require 20 characters or more. Wouldn't that create a small amount of security? Who was it I saw recently...had a password that was a 20-30 digit prime-looking number. Ouch! Viva la biometrics! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-05-20 at 15:50 -0700, Linda Walsh wrote:
Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers.
Wow....what's this for? Sounds like it would be a royal pain in the posterior....
:-) And even worse if you need to rescue the machine and the keyboard layout is non-us: the special "chars" change location. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIM1o8tTMYHG2NR9URAhPmAJ9QUld4j90yf4kRrVe4AtI/55oAOgCfXYSj 0MPWp9x7FZfgbNYW3XxMtt4= =qot9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers.
Wow....what's this for? Sounds like it would be a royal pain in the posterior....
Why so many special requirements?
Security requirements. Those are typical password requirements for US government accounts.
Isn't it more important for a user to have an unbreakable or unguessable password than to meet certain criteria of characters?
There is no such thing as an unbreakable or unguessable password... any brute-force attack can eventually succeed.
Tell users just to use a "passphrase" instead of a password...and require 20 characters or more.
You can make passphrases which fit the criteria like this: d0N,Tuh8@!on9PAssW0rd? ^ ^ zero zero @N0th3r!on9P422w0rd
Wouldn't that create a small amount of security?
The idea is that the number of passwords which need to be tried to guaranteed success in a brute force attack is: CharacterSetSize ** PasswordLength By forcing the user to expand beyond 26 lowercase letters, to include upper case, numerals, and punctuation characters, the Character set size expands from 26 to 94 So, for a given password length... possible lowercase passwords = 26 ** length possible full charset password ~= 94 ** length 94 ** length = (26 * 3.615) ** length So, using only the lowercase character set, you need 3.615 as many characters to get the same level of security against brute force attacks as using the full character set. Thus the security level against brute force attacks of a length=10 password using 94 characters is about the same as that of a length=36 password using only lowercase letters.
Who was it I saw recently...had a password that was a 20-30 digit prime-looking number. Ouch!
I hope it isn't restricted to just prime numbers...that would make the list of passwords to try rather short compared to just any randomly chosen number of the same length. And restricting to only characters 0-9 is actually a horrible choice... By the same principles as above, 30/(26/10) = 30/2.6 = 11.5, a 30-digit numeral is equivalent to an 11.5 character password of lowercase letters, and 30/(94/10) = 30/9.4 = 3.2 and equivalent to a password of only 3 characters if uppers, lowers, numerals and punctuation are all equally probable password characters.
Viva la biometrics!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-05-20 at 19:26 -0400, Washington Irving wrote:
The idea is that the number of passwords which need to be tried to guaranteed success in a brute force attack is:
CharacterSetSize ** PasswordLength
By forcing the user to expand beyond 26 lowercase letters, to include upper case, numerals, and punctuation characters, the Character set size expands from 26 to 94
So, change to hexadecimal passwords, made with a random generator. Char set size = 255 :-P More seriously, though, for some time I had to enter a login password composed from some digits taken from a little gadget that displayed a pin number that changed every minute (and different for every employee), and a remembered pin: the combo is not guessable nor breakable by brute force. They need to steal the gadget and force the pin out of the user. However, if you force users to create very difficult passwords, they will have to write them up, and that's a worse liability than relatively weak passwords. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIM2J5tTMYHG2NR9URAuERAKCGbdhcoh8lnL42ahR4vFP+FdrzbACcDkzn SxscDB+AeRFBZFY8RiEYQmw= =CgOS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Tuesday 2008-05-20 at 19:26 -0400, Washington Irving wrote:
The idea is that the number of passwords which need to be tried to guaranteed success in a brute force attack is:
CharacterSetSize ** PasswordLength
By forcing the user to expand beyond 26 lowercase letters, to include upper case, numerals, and punctuation characters, the Character set size expands from 26 to 94
So, change to hexadecimal passwords, made with a random generator. Char set size = 255
Have fun typing values greater than 127
:-P
More seriously, though, for some time I had to enter a login password composed from some digits taken from a little gadget that displayed a pin number that changed every minute (and different for every employee), and a remembered pin: the combo is not guessable nor breakable by brute force. They need to steal the gadget and force the pin out of the user.
However, if you force users to create very difficult passwords, they will have to write them up, and that's a worse liability than relatively weak passwords.
What I do is this... I have a "standard" part to all of my passwords -- it's based on a password which I used back in college for several years -- back before machines were fast enough to do a brute-force attack on an 8-character password in less than a month, and even then, I was using a passphrase rather than trying to use a word of letters. Anyways, when I have to have an extremely long password which I can't remember... I write down the other part, but omit my "standard" string. This way, even if someone finds my password cheat sheet...they still don't have my passwords. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 21. Mai 2008 01:56:41 schrieb Washington Irving:
Anyways, when I have to have an extremely long password which I can't remember... I write down the other part, but omit my "standard" string. This way, even if someone finds my password cheat sheet...they still don't have my passwords.
but you're vulnerable if someone get's your "standard" password somehow. Remember there are keyloggers (at least some employers use them) also not every database transmitt nor saves the password encrypted.... Greetings Michael
On Wed, May 21, 2008 at 8:31 AM, M. Skiba <mailinglist@michael-skiba.de> wrote:
Am Mittwoch, 21. Mai 2008 01:56:41 schrieb Washington Irving:
Anyways, when I have to have an extremely long password which I can't remember... I write down the other part, but omit my "standard" string. This way, even if someone finds my password cheat sheet...they still don't have my passwords.
but you're vulnerable if someone get's your "standard" password somehow. Remember there are keyloggers (at least some employers use them)
True, but if you work for someone who uses keyloggers, the passwords are theirs, as is the computer, the desk, the chair, and your time. Accessing other off-site facilities (such as your webmail) using their facilities is probably already a violation of their company policy. Cut and paste from a web page can usually defeat keyloggers. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
M. Skiba wrote:
Am Mittwoch, 21. Mai 2008 01:56:41 schrieb Washington Irving:
Anyways, when I have to have an extremely long password which I can't remember... I write down the other part, but omit my "standard" string. This way, even if someone finds my password cheat sheet...they still don't have my passwords.
but you're vulnerable if someone get's your "standard" password somehow. Remember there are keyloggers (at least some employers use them) also not every database transmitt nor saves the password encrypted....
I suppose that's possible...but then, NOTHING protects you from a keylogger other than systems which change your password rather rapidly. As it is, I vary my passwords in a very methodical way...such that with the large majority, I don't have to right down my variation....yet without collecting a bunch of these passwords, simply seeing one will not reveal the construction of the others.
Greetings Michael
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. Wow....what's this for? Sounds like it would be a royal
Jeremy Leonard wrote: pain in the posterior....
Why so many special requirements? Isn't it more important for a user to have an unbreakable or unguessable password than to meet certain criteria of characters? Tell users just to use a "passphrase" instead of a password...and require 20 characters or more. Wouldn't that create a small amount of security? Who was it I saw recently...had a password that was a 20-30 digit prime-looking number.
Not only is this a PITA, it gives you less overall security. People can't memorize the passwords, so they have to write them down, and usually leave them in the vicinity of their monitor. If they don't write them down they use keyboard patterns rather than words/phrases. This makes it easier for a password cracker, just test for a fairly small subset of patterns. The knuckleheads that come up with these requirements mean well, they just didn't do their homework. They can increase password entropy more by increasing length, rather than width. Just count the bits. Width requirements would make sense in the old-days when passwords were limited to eight characters. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Lew Wolfgang wrote:
Linda Walsh wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. Wow....what's this for? Sounds like it would be a royal
Jeremy Leonard wrote: pain in the posterior....
Why so many special requirements? Isn't it more important for a user to have an unbreakable or unguessable password than to meet certain criteria of characters? Tell users just to use a "passphrase" instead of a password...and require 20 characters or more. Wouldn't that create a small amount of security? Who was it I saw recently...had a password that was a 20-30 digit prime-looking number.
Not only is this a PITA, it gives you less overall security. People can't memorize the passwords, so they have to write them down, and usually leave them in the vicinity of their monitor. If they don't write them down they use keyboard patterns rather than words/phrases. This makes it easier for a password cracker, just test for a fairly small subset of patterns.
Unfortunately, this is true.
The knuckleheads that come up with these requirements mean well, they just didn't do their homework. They can increase password entropy more by increasing length, rather than width. Just count the bits. Width requirements would make sense in the old-days when passwords were limited to eight characters.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lew Wolfgang wrote:
Linda Walsh wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. Wow....what's this for? Sounds like it would be a royal
Jeremy Leonard wrote: pain in the posterior....
<snip>
Not only is this a PITA, it gives you less overall security. People can't memorize the passwords, so they have to write them down, and usually leave them in the vicinity of their monitor. If they don't write them down they use keyboard patterns rather than words/phrases. This makes it easier for a password cracker, just test for a fairly small subset of patterns.
The knuckleheads that come up with these requirements mean well, they just didn't do their homework. They can increase password entropy more by increasing length, rather than width. Just count the bits. Width requirements would make sense in the old-days when passwords were limited to eight characters.
Agreed, to a point. A long password that is memorable to the user is probably more effective than a short password that they cannot memorise. (Credit Card PIN numbers are a classic example of the latter). The main issue with passwords is that the major vulnerability is the people who have the passwords. I remember a survey which showed that up to a third of office workers would give their password in exchange for a bar of chocolate. I also had an acquaintance in a telecoms organisation that required that each individual piece of kit to have a unique security code, faced with having to memorise 200+ security codes the engineers put post it stickers on all the relevant kit. (As this was in highly secured buildings this was less of an issue, but if the intent was to ensure that only people with a certain clearance could access particular kit, a zoning scheme may have been more sensible). As for biometrics except for the most sophisticated (and expensive) fingerprint scanners, fingerprint scanning is easily subverted (someone lifted the fingerprint of a senior EU official and demonstrated it could be used fairly recently). Retinal scanners maybe... depending whether a serious case of red-eye for one reason or another can be handled.. Voice recognition not really on its own... In combination these would probably would be very effective (though the vision of people of people holding a laptop to their eyeball while pressing there thumbs to the mouse pad and shouting at the machine might raise a few eyebrows.... :-) ... oh hang on a minute... ) I think this is the point at which we have wondered OT a fair bit and should move the thread elsewhere ... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIM+CPasN0sSnLmgIRAgg/AKCXVj15mSmpoclQcq4XVKqpKJ3GWwCeNx+Y OCaEBu3gt7KH0/0xrhqKAjY= =CmoI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (9)
-
Anders Johansson -
Carlos E. R. -
G T Smith -
Jeremy Leonard -
John Andersen -
Lew Wolfgang -
Linda Walsh -
M. Skiba -
Washington Irving