On Wed, 2005-02-02 at 13:26, Goose Gosswiller wrote: > Tim Alberts <talberts <at> msiscales.com> writes: > IMHO it's never a good idea to dual post passwords. The passwd/shadow scenario > is a single pass one way encryption -- don't know of anyone that's cracked one > yet!!! > In my world if someone forgets the password, root resets and the user runs the > passwd command. New password!!!! Period!!!! > If you don't want root to have to intervene you may try to run a "sudo passwd > one time only script" that allows the user to reset their own password, but it > should be done with the option to "change on first log in" and when the script > is finished the user is not left in root....... > Just my two pennies..... > cheers > goose While the password encryption scheme used on Linux and most unix system is one way they are susceptible to dictionary attacks. I think it was a package called COPS that I used once on a VAX 11/780 system running a BSD type OS many years ago. I fed it a copy of the shadow file and it spit out about 70% of the users passwords on the system. (I had permission from my boss to run the tool to check security.) Users pick horrible passwords most of the time. For the OP's problem, he should setup a process that lets users request their passwords be reset. A new password is generated and sent to them. If possible mark the account such that the password MUST be reset on first login. Or at least send out a sufficiently long random password that the users will choose to change them at the first opportunity available. Mind you the danger here is that you are sending passwords via email which for 99% of the users out there is NOT encrypted. I would recommend you not use the word password in the message to reduce the chance that someone could scan for such emails. -- Scot L. Harris webid@xxxxxxxxxx Blessed are they that have nothing to say, and who cannot be persuaded to say it. -- James Russell Lowell
