From owner-freebsd-security Fri Feb 23 01:47:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA23792 for security-outgoing; Fri, 23 Feb 1996 01:47:48 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id BAA23786 for ; Fri, 23 Feb 1996 01:47:44 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id EAA03240; Fri, 23 Feb 1996 04:11:14 -0500 Date: Fri, 23 Feb 1996 04:11:14 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Informing users of cracked passwords? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk What is generally the best approach to handling a situation in an ISP where a large of number of users (e.g., over 1000) are found to have vulnerable passwords? We ran Crack on our master.passwd for a week or so, and after the dust settled, over 1700 accounts were exposed. This is what we did: 1) Gave no warning to our users (we didn't want to alert hackers to our crackdown on bad passwords) 2) Installed a new passwd binary linked with libcrack 3) Expired all affected passwords and set home directories to mode 000 (mainly to deny access to the .rhosts file and public_html directory 4) Required that new passwords be provided via voice call to our customer support desk From previous discussions in security-related newsgroups, I am under the impression that the best policy for a public-access site is a clean sweep like this. No warning off the impending cut-off date, and force the user to specify a better password. Does anyone have any counter-advice to the above method? -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't"