[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Found, a new rootkit



John Summerfield wrote:
Craig White wrote:


it's actually the fault of the admins who don't use any password
checking mechanisms, but I suppose that it's more feasible to blame
stupid users...of course, I would never do such a thing  ;-)


There is quite a deal of well-reasoned debate about what constitutes a good password.

Should not be all letters.
Should include at least one digit.
Should include at least one "special" character.
Should not include non-graphic characters (like CR, LF, CTRL-A).
Should be at least 6 and preferably over 8 characters long.
Should be "rememberable".
Should *not* be written down anywhere.

First, one needs to be able to remember it without writing it down. This meets Windows AD complexity requirements,

Very easy to do, and yet generate "random" letters.

tbatstdgagitw

is one which I would find very easy to remember, for example. Each
letter is the first letter of a word from a sentence I would find
very easy to recall. This particular one is *not* one I would
recommend, as it is one which might very well be tested.[1]

10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa

but I defy anyone to remember it any time soon!

"bismcoles" would probably be easy for Bill Smith to remember, and would certainly defy any dictionary attack. As would "bluewatermelon."

Neither of these is one I would recommend, and I consider the
"bismcoles" to be especially weak. Passwords containing anagrams of user
names are one of the things I thought of back when I wrote my first
password cracker. If a complete novice can break those, then
anyone could.

The expect package has a password generator that creates passwords like this, but again they're hard to remember: "et3tUfGd."


A reasonable security system would shut down the login process for a time after some number of consecutive failed login attempts. It's a rule that's been around for a long time, it's even in Linux, but implemented poorly.

I have indeed written just such programs for telephone switches.
One of them *permanently* disabled logins from the terminal
with attempted compromises, requiring system supervisor manual
intervention to restore.

[1] 'Twas brillig, and the slithy toves did gyre and gimble in the wabe

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]