On Fri, 2011-02-11 at 15:44 +0100, Alain Roger wrote: > 2. in our company password must be changed every 60 days. Actually, that's not a security measure. It's a false belief. And tends to have the opposite effect. It's harder for people to remember changing passwords, particularly when they have to remember lots of different passwords. So they're far more likely to write it down, and they're likely to write it somewhere that's easily spied upon. Changing it won't make it any harder to make a random guess at it. It's just about as hard to guess it, no matter whether it stays the same, or periodically changes. Or, it's just as likely that you might guess what it changed to, as guess what it has always been. Likewise, it's only one chance easier to guess a password that isn't changed by going through a dictionary attack and keeping track of which words you've already tried (i.e. if you could pick one word from a list of 600,000 words that you might use, that's a 1/600,000 chance of guessing it; then if you changed it, it's a 1/599,999 chance of getting it right, presuming no repeats, that's hardly a significant change). If a password has already been cracked, that should have been detected. If you're not checking for cracking attempts, you're not doing good security. > a) how can i store username and password in a not human readable way > (encrypted for example) a still make it available for yum, or ther > purposes like firefox ? Encrypted whole drive contents, so it's ready normally while running, but isn't readable if someone steals the drive? Run a local proxy that uses your password to access the secured one, and your local apps all go through your unsecured but restricted local proxy? Securing the local copy is going to be a bit pointless if you blurt it out unencrypted across the network (e.g. in HTTP requests) to be easily seen, anyway. > b) how can i do to only once change it and that change should be > applicable for all purposes like yum, firefox, and so on... ? The simple solution for setting your password in one place, and everything always using *that* password, is for all configuration files that have a password set into them, their config scripts import your password from a single known file that holds the password. What about don't store the password in a file. Store it as a variable held in memory. You type it in once, when requested to, and everything sources that variable. And it's reset when you log out. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
