On Mon, Dec 17, 2001 at 07:58:06PM -0800, you (John Morris) wrote: > Whoa... I don't like what I'm hearing here... Your choice ;) I don't like top-posted replies with uncutted signatures and useless cites ;P
> 1. Never, ever, ever give anyone a password of yours. I'm not especially sensitive when it comes to talk about passwords, because there's a tousand other ways to compromise a target. My passwords are not crackable, nobody could type the same 12 chars-long password. I know it's good and really hard to memorize even if you see it for about 6-7 seconds. These passwords (the most important ones such as these for root) are known only by me, and my ex-girlfriend (I was talking with her today, she doesn't remember these - so important - strings, she just remembers a little part of one, compounded with her). > If you even think your password is compromised, then it is (Whenever there > is any doubt, there is no doubt.) You're absolutely right, but in my hierarchy trust is placed higher that doubt, and as I said earlier, there's *only one* person I'm trusting in. > 5. We run periodic security checks of user's office space, > (on tech support visits mainly), and if they've written a password down, it > qualifies as a instant compromise, and they get chewed out. Good strategy, but I have a question: what about passwords remembered by software, you know, like in Internet Explorer etc. ? It's the easiest way to get-in somewhere. Sometimes, we've (me and my friend) got a really great ROTFL, when we're sitting in the front of mentioned above browser, and we're digging in the history(to see which sites were visited before and which of them have passwords written in registry/cookies/whatever). People are usually uncareful and they don't care if they leave a password somewhere. We love to laugh about stupid software with stupid options created to make people more stupid than they are. > You'd be surprised how many > people will use only a couple of passwords all over the place, from their > bank to joebob's porn emporium to work, and then wonder how somebody cracked > into their machine. Your deadly right. I do know a real examples of passwords like 'qweasd' to mailboxes and so on. One of my coleagues is using the same password - 'qweasd' - whenever a password is necessary. For the other example I could mention two of my neighbours. One is using a name of his son concatenated with his bithdate (name+birthdate), the second is using his real name+surname as a login and his nickname as a password. And what is really sad - they said it to me, just in the same way as they're saying 'Hi'! Yes... I'm a local master, and when it comes to do anything more complicated (for a newbie), I'm the person who is called then :)) -- [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ] [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]