Whoa... I don't like what I'm hearing here...

1. Never, ever, ever give anyone a password of yours.
If you even think your password is compromised, then it is (Whenever there
is any doubt, there is no doubt.)

2. Whenever possibly, try to separately fulfill the three A's via different
programs/protocols/encryption : Access (ACL via a router,
xinetd/tcpwrappers/inetd/whatever),
Authorization (X.509, public/private key pairs, etc) and Authentication
(passphrase, password, etc.)
 In practice, X.509/SSL is limited, due to revokation problems in large
(read: Internet) scale infrastructures, and other things can be difficult.
However, I find SSH when used properly (agent & passphrase, SSH2 keys with
good encryption algorithm chosen) in conjunction with ACL & firewalls,
provides a good general purpose solution for access. For things like mail &
web, SSL works ok on a small scale (for a single site), along with passwords
and ACL.

3. Passwords should not be crackable (by a dictionary or random brute force
algorithm, or (in case of non trap door password files) by some other means,
in any real amount of time. We usual check ours on a small linux cluster,
and if they are still un-broken in three weeks, it's ok. If not, the user is
locked out until they are instructed in proper password choosing, and they
can pass the crack test.

4. Passwords should be changed regularly (we do it about every 6 months,
depending on the site & security needs, etc.). This is in addition to
changes of any compromised passwords, say after someone leaves, or something
is hacked, etc.

5. We run periodic security checks of user's office space,
(on tech support visits mainly), and if they've written a password down, it
qualifies as a instant compromise, and they get chewed out.

6. All the important (router/server/firewall/switch/other) passwords are
stored in a fireproof safe in a sealed envelope, in the event of a
sysadmin's death/???.
When passwords are changed, so is the envelope, in addition to first being
verified as being the correct ones (some people use passwords as a job
security measure, which is lame).

YMMV, but I found that firewalls/ACL, H/NIDS stuff, and keeping your patches
updated all help against an initial intrusion. Poor password policy and
response to the intrusion insures they will own your box for a long, long
time to come, and perhaps compromise others. You'd be surprised how many
people will use only a couple of passwords all over the place, from their
bank to joebob's porn emporium to work, and then wonder how somebody cracked
into their machine.

Well, my 2 1/2 cent rant.

Cheers,

JM

----- Original Message -----
From: "gminick" <[EMAIL PROTECTED]>
To: "security-basics" <[EMAIL PROTECTED]>
Sent: Monday, December 17, 2001 10:20 AM
Subject: Re: Passwords On Paper


> On Mon, Dec 17, 2001 at 03:41:19PM +0200, you (George Barnett) wrote:
> > While remembering passwords is one thing and for some people very
simple, it
> > is important to keep a "backup" in the form of passwords written down in
a
> > little black book in a safe somewhere that is accesible in case you get
hit
> > by a truck or something else unexpected happens to you.
> It wouldn't be my problem then :)
> My ex-girlfriend knows all my passwords, so I think
> that there's always a way to log in into my servers/mailboxes/whatever
> without me (but she's totally unfamiliar with computers
> at all and she don't know how to do it :))
>
> --
> [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ]
> [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]

Reply via email to