[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Admin/root password security hole
- Subject: Re: [cobalt-users] Admin/root password security hole
- From: Jonas Pasche <jonas@xxxxxxxx>
- Date: Tue Apr 25 08:25:47 2000
hi fathi,
> The reasoning is deeply flawed. A secure password can be
> made insecure through truncation - e.g. "security5143"
> becomes "security".
Don't tell me that "security5143" is secure -- brute force it (I had a nice
chat with Manuel from Manitu Webhosting about Brute Force recently and he
explained that to me) and you have the right password within seconds......
heh, nevertheless it has letters _and_ numbers within it... that's _much_
more than most customers do. ;-)))
my experience is: give a customer a password like "cXN!eR05" and he's going
to change it into "password", "test" or "iloveyou" within only some hours
after getting access to the machine. too bad. and of course i agree that
"security5143" isn't a too good password.
<bastard_operator_from_hell> we're thinking about a simple tool that tries
to crack user passwords as a background process. the idea of e-mails like
"hello. access to your account has been automatically disabled due to a too
easy-to-guess password. please contact the technical support to get a new
password." seems great to me. </bastard_operator_from_hell>
two reasons why we haven't installed it (yet):
- usage of a customer's system resources :(
- our technical support (=me, for example *g*) doesn't want to set 153 new
passwords per day ;-))
what about putting together a small "how can i make my server more
secure"-HOWTO which explains some security basics to everyone? e.g., good
passwords, disable telnet/use ssh, read your mails / use your server
management with a ssh-tunneled connection, close unnecessary ports, don't
give all users shell access, some ipchains basics, some ssl basics... and
so on. i think there are enough users who think just installing all cobalt
updates that are named "blah...security...blah" provides best security in
the world, but they don't know basic security concepts (even me doesn't
know them all). what do you think about?
cya, jonas
____________________________________________
Jonas Pasche
Technischer Support
webagentur Domke GmbH
Rheinstr. 3 - 64283 Darmstadt - Germany
Telefon +49 6151 17742-33
Telefax +49 6151 293173
http://www.domke.de
mailto:j.pasche@xxxxxxxx
____________________________________________