[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Admin/root password security hole
- Subject: Re: [cobalt-users] Admin/root password security hole
- From: Jonas Pasche <jonas@xxxxxxxx>
- Date: Wed Apr 26 01:13:46 2000
hi jens,
> <bastard_operator_from_hell> we're thinking about a simple tool that tries
> to crack user passwords as a background process. the idea of e-mails like
> "hello. access to your account has been automatically disabled due to a
too
> easy-to-guess password. please contact the technical support to get a new
> password." seems great to me. </bastard_operator_from_hell>
Stupid idea (sorry to say so).
...wasn't really meant to be installed next week. just another "bastard
operator" attack after answering some phone calls like "i can't get my
e-mail" - "what's the username of your account?" - "my... what?" :-)
The best way is to simply enforce good password methods. Don't let
users change their password into something "bad".
i totally agree - that's the best way. but we're talking about cobalt
servers, and that means we're not talking about "passwd" (because luckily
most customers don't have shell access) but about the gui
(http://domain.tld/personal/) if a user wants to change his password. i
checked it some minutes ago - the gui _only_ checks (1) if the password
length is within the 3-16 range and (2) if both passwords are the same. no
problem to set it to "aaaaaa" or to "password".
> what about putting together a small "how can i make my server more
> secure"-HOWTO which explains some security basics to everyone? e.g., good
Read a good O'Reilly book on the subject instead. Start out with
a good introduction like this one:
well, thanks for the literature tips; i'm going to read the ones i don't
already know :-). what i meant was that it maybe would be a good idea to
share some essentials with the cobalt users list, especially for those
users who want more security than an out-of-the-box cobalt server has, but
who don't want to read 800 pages just to get some basics. i know that
reading those books is important, maybe essential, but IMHO you just can't
separate between people who read them (and are going to be security
experts) and people who don't read them (and are going to stay newbies
their whole life). if i try to imagine what people are on the list, there
are only few real experts, which isn't bad because this isn't an "experts
help newbies" list but an open discussion list. what i mean is that there
seem to be many people who'd be happy with moderate security for moderate
expenditure. rfc.
cya, jonas.
____________________________________________
Jonas Pasche
Technischer Support
webagentur Domke GmbH
Rheinstr. 3 - 64283 Darmstadt - Germany
Telefon +49 6151 17742-33
Telefax +49 6151 293173
http://www.domke.de
mailto:j.pasche@xxxxxxxx
____________________________________________