Whoa... I don't like what I'm hearing here... 1. Never, ever, ever give anyone a password of yours. If you even think your password is compromised, then it is (Whenever there is any doubt, there is no doubt.)
2. Whenever possibly, try to separately fulfill the three A's via different programs/protocols/encryption : Access (ACL via a router, xinetd/tcpwrappers/inetd/whatever), Authorization (X.509, public/private key pairs, etc) and Authentication (passphrase, password, etc.) In practice, X.509/SSL is limited, due to revokation problems in large (read: Internet) scale infrastructures, and other things can be difficult. However, I find SSH when used properly (agent & passphrase, SSH2 keys with good encryption algorithm chosen) in conjunction with ACL & firewalls, provides a good general purpose solution for access. For things like mail & web, SSL works ok on a small scale (for a single site), along with passwords and ACL. 3. Passwords should not be crackable (by a dictionary or random brute force algorithm, or (in case of non trap door password files) by some other means, in any real amount of time. We usual check ours on a small linux cluster, and if they are still un-broken in three weeks, it's ok. If not, the user is locked out until they are instructed in proper password choosing, and they can pass the crack test. 4. Passwords should be changed regularly (we do it about every 6 months, depending on the site & security needs, etc.). This is in addition to changes of any compromised passwords, say after someone leaves, or something is hacked, etc. 5. We run periodic security checks of user's office space, (on tech support visits mainly), and if they've written a password down, it qualifies as a instant compromise, and they get chewed out. 6. All the important (router/server/firewall/switch/other) passwords are stored in a fireproof safe in a sealed envelope, in the event of a sysadmin's death/???. When passwords are changed, so is the envelope, in addition to first being verified as being the correct ones (some people use passwords as a job security measure, which is lame). YMMV, but I found that firewalls/ACL, H/NIDS stuff, and keeping your patches updated all help against an initial intrusion. Poor password policy and response to the intrusion insures they will own your box for a long, long time to come, and perhaps compromise others. You'd be surprised how many people will use only a couple of passwords all over the place, from their bank to joebob's porn emporium to work, and then wonder how somebody cracked into their machine. Well, my 2 1/2 cent rant. Cheers, JM ----- Original Message ----- From: "gminick" <[EMAIL PROTECTED]> To: "security-basics" <[EMAIL PROTECTED]> Sent: Monday, December 17, 2001 10:20 AM Subject: Re: Passwords On Paper > On Mon, Dec 17, 2001 at 03:41:19PM +0200, you (George Barnett) wrote: > > While remembering passwords is one thing and for some people very simple, it > > is important to keep a "backup" in the form of passwords written down in a > > little black book in a safe somewhere that is accesible in case you get hit > > by a truck or something else unexpected happens to you. > It wouldn't be my problem then :) > My ex-girlfriend knows all my passwords, so I think > that there's always a way to log in into my servers/mailboxes/whatever > without me (but she's totally unfamiliar with computers > at all and she don't know how to do it :)) > > -- > [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ] > [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]