Re: Password aging problem

[Geoff Torres <geoff@rosemail.rose.hp.com>]

Hi,

I'm not familiar with shadow-utils, but I can tell you that "B1u3 K@t!"
is not particularly sturdy from a password cracking viewpoint.  The idea
of using numbers to represent letters is well known and used by cracking
algorithms.
1=l, 3=e, @=a, K=c, both blue and cat are dictionary words.

Now I agree with you that nobody will likely guess that password, but a
computer would if given access to your shadow file.  

Most password checking algorithms assume that you have a publicly
viewable passwd (encrypted) field.  They don't care if you're using a
shadow file or not.

It's really your call as to how deep you want to take password
management.  How important is the data or system that it is that you're
trying to protect?  How accessible is the box?  Are your users smart
enough to not use easily guessable (by a human) passwords?  It's all a
balance between security of your assets and productivity of your users. 
From a user viewpoint, a complicated password is a pain to manage.  They
start writing them down or other equally stupid work-a-rounds.

We're in a lab behind a firewall.  We're just happy that the engineers
even use passwords.  :-)

Geoff

> 
> Hello,
> 
> I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far
> the prompt to change the password works, but it does not want to accept ANY
> new password. Even the real sturdy passwords like B1u3 K@t! . The system
> complians that they are too simple. Now, while I agree that simple passwords
> are NOT good, there has to be something reasonable here. How can I fix this?
> 
> Thanks!
> 
> -James
> 
> James Kelty
> Sr. Unix Systems Administrator
> Everbase Systems, LLC
> 541.488.0801
> jamesk@everbase.net
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html