[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Admin/root password security hole
- Subject: Re: [cobalt-users] Admin/root password security hole
- From: "Daniel Pumphrey" <dpumphre@xxxxxxxxxxxxxxx>
- Date: Tue Apr 25 18:20:42 2000
security5143 is not a secure passwd - a secure password would be something
like:
S1mC4u
and that's only 6 chars - its short for "Security is my Concern for you" -
when developing secure passwords take a phrase and use just the first
letters or last letters of each word - insert a number for a letter where it
makes sense and try to you special characters - I would probably toss a ; at
the beginning and a . at the end or something similiar. This then makes the
passwd easy to remember.
There are a gazillion ways to implement secure passwords - not just this one
example I have givien here. You should never use a word from a dictionary
in any way shape or form, you should never use a row of chars from the
keyboard (is: qwerty or 123456 or 098765, etc.) again their are a gazillion
ways to not set passwords. All passwords are crackable (sure one time
passwords are much more difficult, but I've seen secureID hacked a few years
back at DefCon) given enough time and patience. What most comapnies need to
do is use passwds like the one mentioned above, change them frequently
(30-60 days) and keep a history of passwds used and not allowed them to be
reused for 5 times. Even with this scenerio I have seen users simply chage
their passwd 5 times and on the sixth time set it to what they had last
month. All so they can keep the same passwd....ahhh the battle continues
Cracking a passwd like the one above would require brute force, thus taking
it much longer for some to crack. Hopefully longer than 30-60 days, then by
the time they did crack it you would have already changed it and they would
have to start over.
It doesn't matter how many characters Linux will use for a passwd if you use
names, dictionay words in any language, etc. Just becuase Linux only
accepts 8 chars for a passwd doesn't mean it is a security breach. It all
depends on what you do with the 8 chars you got!
If security is a concern for you and would like to discuss options for red
teaming or ethical hacking to test your security let me know.
----- Original Message -----
From: Dom Latter <d.latter@xxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, April 25, 2000 9:20 AM
Subject: Re: [cobalt-users] Admin/root password security hole
> Jonas Pasche wrote:
> >
> > "Basically, the reasoning behind the 16 characters is
> > to encourage people to pick secure passwords. We do realize that Linux
> > truncates beyond 8 characters, but it's probably better for users to
have
> > truncated passwords than to have passwords that are too short."
>
> The reasoning is deeply flawed. A secure password can be
> made insecure through truncation - e.g. "security5143"
> becomes "security".
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>