Date: Fri, 23 Feb 1996 04:11:14 -0500 (EST) From: Brian Tao <taob@io.org> To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Informing users of cracked passwords? Message-ID: <Pine.BSF.3.91.960223040346.18637J-100000@zip.io.org>
next in thread | raw e-mail | index | archive | help
What is generally the best approach to handling a situation in an
ISP where a large of number of users (e.g., over 1000) are found to
have vulnerable passwords?
We ran Crack on our master.passwd for a week or so, and after the
dust settled, over 1700 accounts were exposed. This is what we did:
1) Gave no warning to our users (we didn't want to alert hackers to
our crackdown on bad passwords)
2) Installed a new passwd binary linked with libcrack
3) Expired all affected passwords and set home directories to mode
000 (mainly to deny access to the .rhosts file and public_html
directory
4) Required that new passwords be provided via voice call to our
customer support desk
From previous discussions in security-related newsgroups, I am
under the impression that the best policy for a public-access site
is a clean sweep like this. No warning off the impending cut-off
date, and force the user to specify a better password.
Does anyone have any counter-advice to the above method?
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960223040346.18637J-100000>