Re: [cobalt-users] Admin/root password security hole

[jk@xxxxxxxxxxxx (Jens Kristian Søgaard)]

Jonas Pasche <jonas@xxxxxxxx> writes:

> heh, nevertheless it has letters _and_ numbers within it... that's _much_ 
> more than most customers do. ;-)))

Yep.
 
> <bastard_operator_from_hell> we're thinking about a simple tool that tries 
> to crack user passwords as a background process. the idea of e-mails like 
> "hello. access to your account has been automatically disabled due to a too 
> easy-to-guess password. please contact the technical support to get a new 
> password." seems great to me. </bastard_operator_from_hell>

Stupid idea (sorry to say so).

The best way is to simply enforce good password methods. Don't let
users change their password into something "bad".

Programs exists that will check a users password so they follow
certain rules (like must contain numbers, must contain letters in
CAPS, must be at least 6 characters, must not be a "known word", etc.)

If a user tries to use a stupid password, he will be denied to change
his password.

> what about putting together a small "how can i make my server more 
> secure"-HOWTO which explains some security basics to everyone? e.g., good 

Read a good O'Reilly book on the subject instead. Start out with
a good introduction like this one:

        http://www.oreilly.com/catalog/csb/

        (Computer Security Basics)

And then go through a basic system administration book like:

        http://www.oreilly.com/catalog/esa2/
        
        (Essential System Administration)

Then read up on networking:

        http://www.oreilly.com/catalog/linag2/

        (Linux Network Administrator's Guide)

And then something like "Building Internet Firewalls"... 

Add a hint of experience... and you're there!


-- 
Jens Kristian Søgaard,
jk@xxxxxxxxxxxx -- http://www.jksoegaard.dk/
Søger du noget? -- http://www.google.com/
echo|perl -ple'$_+=4E-6*!int rand()**2+rand()**2while$i++-1E6'