From owner-freebsd-questions@FreeBSD.ORG Mon Jan 10 18:04:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32FC616A4CE for ; Mon, 10 Jan 2005 18:04:42 +0000 (GMT) Received: from green.rahul.net (green.rahul.net [192.160.13.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1145943D39 for ; Mon, 10 Jan 2005 18:04:42 +0000 (GMT) (envelope-from conover@rahul.net) Received: from green.rahul.net (localhost.localdomain [127.0.0.1]) by green.rahul.net (Postfix) with SMTP id 62C31BE8BF for ; Mon, 10 Jan 2005 10:04:40 -0800 (PST) Received: (qmail 11102 invoked by uid 4199); 10 Jan 2005 18:04:04 -0000 Date: 10 Jan 2005 18:04:04 -0000 Message-ID: <20050110180404.11101.qmail@rahul.net> To: freebsd-questions@freebsd.org In-Reply-To: <20050110172303.GA7456@keyslapper.org> References: <20050110172303.GA7456@keyslapper.org> From: conover@rahul.net (John Conover) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Blacklisting IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: John Conover List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 18:04:42 -0000 Louis LeBlanc writes: > > A practice one of my former co-workers liked was to pick a song and pull > letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow". > You could get "DSTAT", turn that into something else, like "dSt4T". > Pretty short, but definitely not a dictionary word. You could even take > more letters from the next line" "Don't Stop, It'll Soon Be Here" and get > "dSt4TDs1SbH", or any number of derivations. If you forget the actual > password, your song is an excellent hint. > I think that comes from RFC1244, (Site Security Handbook,) which is a pretty good security SOP for *_general_* 'Net users. The stuff 1244 suggests is not perfect, by any means, but is a relatively good compromise between security, usability, and operational costs. For example, to keep sysadmin phone calls on forgotten passwds to a minimum, 1244 suggests the words in a user's favorite song, ('cause folk's minds remember the words,) to seven letters-maybe with capitalization. For example, if the "Star Spangled Banner" is the 'fav, then a passwd would be "oH#saY#caN#". If logins must be updated periodically, then the user's next passwd would be, "yoU#See", and so on. Its certainly not perfect[1], but its cheap to administer, easy to use, etc., and realatively hard to crack by algorithmic means-at least without filling up the log files, giving the sysadm a "heads up" to type something beginning with "block ..." 1244 has a lot of cute little security things like that. John [1] Yea, I've tried a passwd policy of denied vowel-consonant relationships, (e.g., words.) Not only did I have a lot of phone calls on forgotten passwds, I gained credentials as an English teacher. -- John Conover, conover@rahul.net, http://www.johncon.com/