-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lo,
On Wednesday 18 January 2006 17:15, Paweł Madej wrote: > Jesse, Rich wrote: > > 1) 30 day lifetime > > 2) Minimum length of 12 (eep!) > > This two is not a problem on every linux box > > > 3) No reuse of passwords (keep password history) > > In this case i got a problem which app could provide such functionality There is no way of just doing this normal PAM that I am aware of unless cracklib has been extended. > > 4) Check password for dictionary and common variants (e.g. username) > > Some proxy between passwd and shadow / PAM ? cracklib does this. > > 5) Do not use system-generated passwords > > Do you follow that example with 30 sign password? ?? > > 6) Teach users to use an algorithm to generate passwords. > > User training is very important but even if you prepare good training > plan not every one would use it. So we have to force them to use our > policy with 1-5 points from above. This is the entire point. Forcing users to have complex passwords is in almost all cases, futile as they simply write them down etc. I assume that most people know that users are the weakest link and the FIRST thing you do is to educate your users, but contrary to what Rich writes, its my experience that while using a simple algorithm seems easy and obvious to the readers of this list, it is still beyond most end users (not conceptually but in practise). The point being that if you don't enforce strong passwords users will use weak ones. If you do enforce strong passwords users will use weak means around them. It's this catch 22 situation that leads to all security administrators moving away from passwords, that and the fact that they are susceptible to things like replay attacks, man in the middle attacks and so on. If you have no choice but to rely on passwords then its a question of knowing your users and setting the password policy as appropriate to that. In most cases you are better off enforcing complex passwords and just not caring if the end user writes them down as this is less of a risk then internet based attack vectors. - -- Benjamin Smee (strerror) crypto/forensics/netmail/netmon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.20 (GNU/Linux) iD8DBQFDznrSAEpm7USL54wRAv0SAJ9ZqOaWlDGqogeToW/eIxLbrmI1IwCdFq9E gcih10B1GadCubA+RiU8aCQ= =Ro+U -----END PGP SIGNATURE----- -- [email protected] mailing list
