From owner-freebsd-questions@FreeBSD.ORG Mon Jan 10 18:29:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F0A216A4DE for ; Mon, 10 Jan 2005 18:29:07 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B59443D1D for ; Mon, 10 Jan 2005 18:29:07 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id B3DED6925D for ; Mon, 10 Jan 2005 13:29:06 -0500 (EST) Received: by localhost (sSMTP sendmail emulation); Mon, 10 Jan 2005 13:29:15 -0500 Date: Mon, 10 Jan 2005 13:29:15 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org Message-ID: <20050110182913.GD7456@keyslapper.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <20050110172303.GA7456@keyslapper.org> <20050110180404.11101.qmail@rahul.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20050110180404.11101.qmail@rahul.net> User-Agent: Mutt/1.5.6i Subject: Re: Blacklisting IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 18:29:07 -0000 On 01/10/05 06:04 PM, John Conover sat at the `puter and typed: > Louis LeBlanc writes: > > > > A practice one of my former co-workers liked was to pick a song and pull > > letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow". > > You could get "DSTAT", turn that into something else, like "dSt4T". > > Pretty short, but definitely not a dictionary word. You could even take > > more letters from the next line" "Don't Stop, It'll Soon Be Here" and get > > "dSt4TDs1SbH", or any number of derivations. If you forget the actual > > password, your song is an excellent hint. > > > > I think that comes from RFC1244, (Site Security Handbook,) which is a > pretty good security SOP for *_general_* 'Net users. > > The stuff 1244 suggests is not perfect, by any means, but is a > relatively good compromise between security, usability, and > operational costs. > > For example, to keep sysadmin phone calls on forgotten passwds to a > minimum, 1244 suggests the words in a user's favorite song, ('cause > folk's minds remember the words,) to seven letters-maybe with > capitalization. For example, if the "Star Spangled Banner" is the > 'fav, then a passwd would be "oH#saY#caN#". > > If logins must be updated periodically, then the user's next passwd > would be, "yoU#See", and so on. > > Its certainly not perfect[1], but its cheap to administer, easy to > use, etc., and realatively hard to crack by algorithmic means-at least > without filling up the log files, giving the sysadm a "heads up" to > type something beginning with "block ..." > > 1244 has a lot of cute little security things like that. > > John > > [1] Yea, I've tried a passwd policy of denied vowel-consonant > relationships, (e.g., words.) Not only did I have a lot of phone calls > on forgotten passwds, I gained credentials as an English teacher. LOL. I understand completely. BTW, a quick search yielded an update to 1244: 2196, which can be found here: http://www.faqs.org/rfcs/rfc2196.html Thanks. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ The following statement is not true. The previous statement is true.