Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On Thursday 12 August 2010 00:11:12 Bill Longman wrote: On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists Your reasoning makes sense, until you consider password length limits imposed by machines. Cisco routers authenticating via Tacacs for instance often support nothing more than DES hashing yuck. The hash routines accept up to 10 characters for a password but only use the first 8 to calculate the hash. There are Solaris version nowhere near EOL yet that have similar limits. All this makes my life as a system integrator cum authenticate go-to guy very tricky indeed. Luckily management tends to say Just do what Alan says. It makes him shut up and go away. :-) p.s. dig the use of vapid. Wonderful word, truly splendid. Communicates in 5 letters something that takes paragraphs any other way. I shall make a note for future use. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon alan.mckin...@gmail.comwrote: On Thursday 12 August 2010 00:11:12 Bill Longman wrote: On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists Your reasoning makes sense, until you consider password length limits imposed by machines. Cisco routers authenticating via Tacacs for instance often support nothing more than DES hashing yuck. The hash routines accept up to 10 characters for a password but only use the first 8 to calculate the hash. There are Solaris version nowhere near EOL yet that have similar limits. All this makes my life as a system integrator cum authenticate go-to guy very tricky indeed. Luckily management tends to say Just do what Alan says. It makes him shut up and go away. :-) p.s. dig the use of vapid. Wonderful word, truly splendid. Communicates in 5 letters something that takes paragraphs any other way. I shall make a note for future use. -- alan dot mckinnon at gmail dot com Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN in your login.defs file and are still relying on the back end's ability to safely store your passwords in DES format, well, you're in trouble.
