expired passwords

Tim ignored_mailbox at yahoo.com.au
Tue Mar 11 21:13:12 UTC 2008 

On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> You type in an account name and immediately get told that the password
> has expired?
> This is a security flaw, as it immediately exposes the fact that you 
> have typed in a valid account name (you could be anyone trying to
> login). 

Expiring passwords is a security flaw in itself.

Not expiring passwords is fine (i.e. always using the same one on a
system), if nobody else has cracked it.  It's just as easy for them to
crack one password as it is another.

Expiring them pushes users into trying to come up with something that
they can remember, and they'll probably forget passwords if they have to
keep on changing them.  Then they'll write them down...  Either way,
this password can still be cracked, changing it didn't make cracking it
any harder.

It's not like in the movies, where you can work on cracking a password,
step by step.  You either crack it in one go, or you don't.  You don't
get clues.  Even progressively stepping through a large dictionary
doesn't help, the cracker doesn't know if yesterday's failed attempts
will fail again, or might be worth trying today.  They don't know if
you're using the same passwords, or not.

Better security is:  Disallowing the setting of stupid passwords in the
first place (yes, forbid it, don't just warn against it).  Alerts that
cracking attempts seem to being done, and prompt lockouts during the
attempts.  Alerts should go to the owner and admins when passwords have
changed.

It strikes me that a detected cracking attempt on a Linux server should
start dinging the motherboard bell, rather than just silently handling
it.  You want an admin to look up and check why the computer's alarmed
about something, straight away.  Rather than discover some problem, long
since it happened, as you peruse daily log watch reports.

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the fedora-list mailing list