On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote: > You type in an account name and immediately get told that the password > has expired? > This is a security flaw, as it immediately exposes the fact that you > have typed in a valid account name (you could be anyone trying to > login). Expiring passwords is a security flaw in itself. Not expiring passwords is fine (i.e. always using the same one on a system), if nobody else has cracked it. It's just as easy for them to crack one password as it is another. Expiring them pushes users into trying to come up with something that they can remember, and they'll probably forget passwords if they have to keep on changing them. Then they'll write them down... Either way, this password can still be cracked, changing it didn't make cracking it any harder. It's not like in the movies, where you can work on cracking a password, step by step. You either crack it in one go, or you don't. You don't get clues. Even progressively stepping through a large dictionary doesn't help, the cracker doesn't know if yesterday's failed attempts will fail again, or might be worth trying today. They don't know if you're using the same passwords, or not. Better security is: Disallowing the setting of stupid passwords in the first place (yes, forbid it, don't just warn against it). Alerts that cracking attempts seem to being done, and prompt lockouts during the attempts. Alerts should go to the owner and admins when passwords have changed. It strikes me that a detected cracking attempt on a Linux server should start dinging the motherboard bell, rather than just silently handling it. You want an admin to look up and check why the computer's alarmed about something, straight away. Rather than discover some problem, long since it happened, as you peruse daily log watch reports. -- (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's important to the thread.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
