Craig White wrote:
On Sat, 2006-04-01 at 08:42 +0800, John Summerfield wrote:
Craig White wrote:
it's actually the fault of the admins who don't use any password
checking mechanisms, but I suppose that it's more feasible to blame
stupid users...of course, I would never do such a thing ;-)
There is quite a deal of well-reasoned debate about what constitutes a
good password.
First, one needs to be able to remember it without writing it down. This
meets Windows AD complexity requirements,
10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
----
of course Windows computers keep the hash lying around which is fairly
easily cracked ;-)
If you're that close to the computer, all bets are off, Linux or
Windows: you don't need administrative rights to do lots of bad stuff.
----
but I defy anyone to remember it any time soon!
"bismcoles" would probably be easy for Bill Smith to remember, and would
certainly defy any dictionary attack. As would "bluewatermelon."
The expect package has a password generator that creates passwords like
this, but again they're hard to remember: "et3tUfGd."
A reasonable security system would shut down the login process for a
time after some number of consecutive failed login attempts. It's a rule
that's been around for a long time, it's even in Linux, but implemented
poorly.
----
that's why you actually have think about what you are doing when you
permit shell account access on a system that is exposed to the Internet.
ftp and email are good ways to enumerate accounts and look for
passwords. Having opened an account, then try for shell access:-\
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
