Date: Fri, 27 Feb 1998 23:49:29 -0800 (PST) From: Jan Koum <jkb@best.com> To: "Eric A. Davis" <edavis@nas.nasa.gov> Cc: LOlayiwola <LOlayiwola@aol.com>, questions@FreeBSD.ORG Subject: Re: Unix System Security Message-ID: <Pine.BSF.3.96.980227234850.27617I-100000@shell6.ba.best.com> In-Reply-To: <199802270013.QAA20942@shark.nas.nasa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Feb 1998, Eric A. Davis wrote: > >On Thu, 26 Feb 1998 19:30:06 -0400 (AST) Michael Richards wrote >>> 2) How could I as a security advisor advise a network administrator to cater >>> for this security problem. >>One important thing is to educate the users. Have them pick good >>passwords. Something like foobar is not a good password, nor is 555-2344, >>or julie. People who don't know any better commonly choose passwords like >>this. Take person X, he is going out with someone named Julie, and his >>phone number is 555-2344. Not hard to guess his password. >>If the cracker is able to get the passwd file they can run something >>called a dictionary crack on it. That involves going through the >>dictionary and trying permutations of words and numbers and trying them >>against the users. Someone with a bad password may match one of the >>program's guesses. >>A password like: 3%gP)3s would be a good one because it is not One reason this would not be a good password is if the user can't remember it is forced to write it down somewhere. -- Yan >>pronouncable, an english word it is not, hence there is little chance of a >>dictionary crack getting it. Also, if someone saw the 1st 3 characters, >>they couldn't guess the rest. Juli, if you knew the person would be an >>easy guess. >> > >To combat against users choosing bad passwords you should install a 'passwd' >app that pro-actively checks the password. That is, checks the password's >integrity before it is changed. Some excellent 'passwd' apps are Eppaswd, >passwd+, and npasswd. The Epasswd homepage also has some good statistics >about password permutations. > >http://www.nas.nasa.gov/~edavis/epasswd/ > >- eric > >-- > Eric Allen Davis Network Engineer > edavis@nas.nasa.gov NASA Ames Research Center > Voice: (415)604-2543 NAS Systems Division > Pager: (415)428-6931 http://www.nas.nasa.gov/~edavis > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980227234850.27617I-100000>