Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23
Daniel J. Frasnelli (dfrasnel@csee.wvu.edu)
Tue, 27 Apr 1999 13:25:46 -0400 (EDT)
> This is right, of course. Here's an additional data point to the many
> already known. A few weeks ago we bought a passwd/shadow pair along
> with a second hand Sun box. Because there was a root password not known
> to us we had to break in to start using it. Then, just for snix, we ran
You could just boot into single-user mode from SunOS media,
mount the fs, null out the password and make a new one. I hope this is
what you did, at least :) Yet another example of when lack of physical
security counteracts system and data security.
> crack on the files and got 15 successes. Most of these passwords were
> equal to the username. Some of the rest were $username."1".
Or even worse is the case of "passwd1", which I discovered at
one site.
> The reason I gave up cracking passwords in my previous job was that
> nobody ever improved them as a result.
Passwords are the inherent weakness of multiuser systems,
as you are aware. As part of the security crackdown at the place of
employment mentioned above, we took the issue of passwords out of
the users' hands and placed it under administrative control.
All passwords were cleared and reset to passphrases that resembled
English words or phrases (my example was always "2b0RnOt2B") and
nispasswd access limited to root.
That was in a workplace where the computer users were
non-expert and application-driven. All the workers knew is that they
sat down at a "black box", typed in a few phrases, and were able to
run the needed application. At my current workplace, where we
manage accounts of computer scientists/engineers, an authoritarian
grasp on passwords is unacceptable and would be frowned upon. And so,
we routinely run password crackers which check for vulnerability to
a dictionary attack.
And we find at least 120 accounts with weak passwords, send
nasty notes to the users, and they come in to change their passwords.
My office is like a Catholic confessional every couple weeks.
"Oh yes, I know I'm not supposed to use that as a password",
"I promise it will never happen again", and my personal favorite,
"This is the name of my [spouse/pet/houseplant/neighbor]. Like who's
going to guess that?!". Oh, they choose something secure when in
front of me. And within a couple days, they change the passwords back
to something weak.
We can alleviate the problem of passwords through one-time
passwords (S/key), nispasswd/passwd wrappers which check against a
dictionary during a password change, application layer encryption
such as an IMAP server which uses SSL, network layer such as IPSEC,
and host of other technologies.
But none of these technologies, and no algorithm or software
package that I know of, addresses the actual disease. It is human
nature to be lazy, and this applies to either users or administrators.
A step forward in the right direction towards curing this problem is
educating your userbase about security - real education, not "let me
quote some algorithms and formal methods to make you feel stupid" ploys.
Keeping your users and administrators abreast of your site's risk
vectors is essential - it is easier to stay alert to potential
"risky" activities while online if a person is aware of how that
information might be exploited to gain unauthorized access to information.
Various DOD and government agencies put their employees through this
on a regular basis, known as "security indoctrination and reinforcement".
It's not something to cause paranoia (although it can), but rather create a
heightened sense of awareness when it comes to security issues.
--- Daniel J. Frasnelli Infosec analyst and cryptographer He who wonders discovers that this in itself is wonder. -- M.C. Escher
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23