[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Found, a new rootkit

From: "Mike McCarty" <Mike McCarty sbcglobal net>

Tim wrote:
On Tue, 2006-04-04 at 00:46 -0500, Mike McCarty wrote:

Should include at least one "special" character.

When telling someone that, you really need to define what you mean by
"special".  I know the next bit goes somewhat towards that, but it's
still a bit too vague.  You can also get people trying to use characters
that can't be used with some password systems.  It would really help if
password systems would accept any character that you can type on the

IMO, these rules need to be enforced by the password system itself.
So, exactly what constitutes a "special" character should be built
into it, and if an invalid character is detected, then a useful
error message should be generated.

Anyway, I wasn't trying to write out a fully comprehensive set of rules.
I was simply stating what I consider to be the minimum security.
Guidelines, not rules.

Another good guide is:

Enforce changing of passwords on at least a monthly basis.
Do not permit re-use of old passwords.

Experience indicates that people rotate sets of four or five passwords
in that case.

A major part of the whole issue is defining what kind of attacks you
are likely to face. Is the attacker likely to be able to read your
shadow file?

If not, as with the sshd attack that started this thread, you fall down
to a second question, "How fast is the attacked able to recycle failed
login requests?"

If the answer is 30 seconds then "bcdefghi" is a password that is good
for over 200 years of random guessing. It might run afoul of straight
dictionary attacks, though. "ShumphUz", on the other hand, would take
just as long against random attacks and is order two on dictionary
attacks with a dictionary of four letter pronounceable word fragments.
You're probably still good for most of your life expectancy. This
advantage evaporates if the shadow file is readable by the attacker.
Then brute forcing an eight letter password's the work of a short
exercise on a modest machine. And I've never been convinced that
increasing the alphabet from 52 "letters" to 62 "letters" or even
95 "letters" is a additional huge win, especially when one presumes
the odd character (non-alnum) is usually at a syllable splice. Add
another character or two of pure alpha and your pretty much just as
well off.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]