Re: Is a cryptic password always necessary?
On Thu, Apr 27, 2000 at 06:49:02PM -0800, Ethan Benson wrote: On Fri, Apr 28, 2000 at 09:21:43AM +0700, Oki DZ wrote: BTW, does anyone use MD5 for /etc/shadow? I'd like to use it, but how do migrate from crypt() to MD5? I don't think that just changing the entry in the config file (/etc/login.conf?) would be sufficient. if your using slink changing /etc/login.conf is all it takes, but you Ok, and for those of us using Potato? I don't have an /etc/login.conf. ...or does that make me: if your using PAM then sprinkle `md5' after any password line in the /etc/pam.d/* files (login, ssh, passwd..) -- Karsten M. Self kmself@ix.netcom.com http:/www.netcom.com/~kmself What part of Gestalt don't you understand? http://gestalt-system.sourceforge.net/ GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Re: Is a cryptic password always necessary?
On Fri, Apr 28, 2000 at 04:30:21PM -0700, kmself@ix.netcom.com wrote: On Thu, Apr 27, 2000 at 06:49:02PM -0800, Ethan Benson wrote: On Fri, Apr 28, 2000 at 09:21:43AM +0700, Oki DZ wrote: BTW, does anyone use MD5 for /etc/shadow? I'd like to use it, but how do migrate from crypt() to MD5? I don't think that just changing the entry in the config file (/etc/login.conf?) would be sufficient. if your using slink changing /etc/login.conf is all it takes, but you ^^^ s/login.conf/login.defs Ok, and for those of us using Potato? I don't have an /etc/login.conf. ...or does that make me: sorry, yes, if your using potato your using PAM. though potato still has a /etc/login.defs, but the MD5_ENABLE (or whatever) is not used with PAM. if your using PAM then sprinkle `md5' after any password line in the /etc/pam.d/* files (login, ssh, passwd..) -- Karsten M. Self kmself@ix.netcom.com http:/www.netcom.com/~kmself What part of Gestalt don't you understand? http://gestalt-system.sourceforge.net/ GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Ethan Benson http://www.alaska.net/~erbenson/ pgpo5cvtuVpKK.pgp Description: PGP signature
Re: Is a cryptic password always necessary?
On Tue, 25 Apr 2000 [EMAIL PROTECTED] wrote: An easy trick for making a password that's hard to guess but easy to remember is to use the first letter of each word in the first line of a song you know well. Get pwgen package; it generates easy to remember (but hopefully difficult to guess) and also secure (difficult to type and remember) passwords. BTW, does anyone use MD5 for /etc/shadow? I'd like to use it, but how do migrate from crypt() to MD5? I don't think that just changing the entry in the config file (/etc/login.conf?) would be sufficient. Maybe add your favorite number at the end or start. Course if you're a burnt-out 60's druggie then it's pretty easy to guess that the song is Stairway to Heaven :) So, it would be nicer if you could come up with something more difficult to guess; having a cracked in system would leave you dazed and confused. Oki
Re: Is a cryptic password always necessary?
On Tue, 25 Apr 2000 kmself@ix.netcom.com wrote: Ok, so who *else* is using talwkatgig? g I'd prefer to use tsrts.. Oki
Re: Is a cryptic password always necessary?
On Fri, Apr 28, 2000 at 09:21:43AM +0700, Oki DZ wrote: BTW, does anyone use MD5 for /etc/shadow? I'd like to use it, but how do migrate from crypt() to MD5? I don't think that just changing the entry in the config file (/etc/login.conf?) would be sufficient. if your using slink changing /etc/login.conf is all it takes, but you are right that it won't instantly convert all your crypted passwords into md5, that is impossible since crypted passwords are not reversable (unless you use QNX hehe) however the next time any user runs /usr/bin/passwd thier new password will be in md5 format. don't worry though crypted passwords will still work with md5 enabled, activating md5 does not suddendly make all crypted passwords in /etc/shadow invalid. if your using PAM then sprinkle `md5' after any password line in the /etc/pam.d/* files (login, ssh, passwd..) personally i want Blowfish encrypted passwords like my OpenBSD box but linux does not support that :( OpenBSD lets me up the rounds on Blowfish passwords so high that it takes minutes or hours to login ;-) -- Ethan Benson http://www.alaska.net/~erbenson/ pgp3WhEX1e5to.pgp Description: PGP signature
Re: Is a cryptic password always necessary?
What services are you running? A password doesn't have to be hard to remember or type. It should be hard to guess. You might try running a crack program such as John the Ripper (at Freshmeat). It will give you some idea of your own system's security. On Tue, Apr 25, 2000 at 05:47:23PM -0700, Erik Ryberg wrote: Hello, I have a home machine which I'm not too worried about security wise. If I don't go on-line as root, is a difficult to type and remember password really necessary? Thanks. -- Running Debian GNU/Linux www.debian.org www.gnu.org www.cheapbytes.com -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Karsten M. Self kmself@ix.netcom.com http:/www.netcom.com/~kmself What part of Gestalt don't you understand? http://gestalt-system.sourceforge.net/ GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 pgpJ8UaaBEbJA.pgp Description: PGP signature
Re: Is a cryptic password always necessary?
Erik Ryberg [EMAIL PROTECTED] writes: ER I have a home machine which I'm not too worried about security wise. If ER I don't go on-line as root, is a difficult to type and remember password ER really necessary? What do you mean by go on-line as root? If your machine is connected to a network you don't completely control, it's a potential target, even if it's only by a dial-up connection. You definitely don't want to be connected to The World without a root password. If you are going to be connected to The World, you probably don't want to be running service you don't need or use; I disallow unencrypted telnet and rlogin connections, for example, since I use ssh for everything. This doesn't mean you need a difficult to type and remember password. One might use a password like Help! I forgot my password!, which would be written as H!Ifmp! If you remember the phrase, a mnemonic like this makes it relatively easy to remember the actual (cryptic) password. -- David Maze [EMAIL PROTECTED] http://www.mit.edu/~dmaze/ Theoretical politics is interesting. Politicking should be illegal. -- Abra Mitchell
Re: Is a cryptic password always necessary?
In article [EMAIL PROTECTED] you wrote: Hello, I have a home machine which I'm not too worried about security wise. If I don't go on-line as root, is a difficult to type and remember password really necessary? I think the time isn't that far away when everyone who wants to be online fulltime will be, like cablemodem and dsl users are now. So it wouldn't be a bad idea to get used to decent passwords. That's only part of the story though of course. An easy trick for making a password that's hard to guess but easy to remember is to use the first letter of each word in the first line of a song you know well. Maybe add your favorite number at the end or start. Course if you're a burnt-out 60's druggie then it's pretty easy to guess that the song is Stairway to Heaven :)
Re: Is a cryptic password always necessary?
On Tue, Apr 25, 2000 at 07:26:16PM -0700, [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: Hello, I have a home machine which I'm not too worried about security wise. If I don't go on-line as root, is a difficult to type and remember password really necessary? I think the time isn't that far away when everyone who wants to be online fulltime will be, like cablemodem and dsl users are now. So it wouldn't be a bad idea to get used to decent passwords. That's only part of the story though of course. An easy trick for making a password that's hard to guess but easy to remember is to use the first letter of each word in the first line of a song you know well. Maybe add your favorite number at the end or start. Course if you're a burnt-out 60's druggie then it's pretty easy to guess that the song is Stairway to Heaven :) Ok, so who *else* is using talwkatgig? g -- Karsten M. Self kmself@ix.netcom.com http:/www.netcom.com/~kmself What part of Gestalt don't you understand? http://gestalt-system.sourceforge.net/ GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 pgpvyai3qZAMF.pgp Description: PGP signature
Re: Is a cryptic password always necessary?
In article [EMAIL PROTECTED], kmself@ix.netcom.com wrote: On Tue, Apr 25, 2000 at 07:26:16PM -0700, [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: Course if you're a burnt-out 60's druggie then it's pretty easy to guess that the song is Stairway to Heaven :) Ok, so who *else* is using talwkatgig? g Are we going to need a sign like in the guitar shop in Wayne's World ? Mike.