From mboxrd@z Thu Jan 1 00:00:00 1970 From: "David Jackson" Subject: Re: Password aging problem Date: Fri, 28 Jun 2002 16:15:47 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <200206281615.AA1534394626@wcox.com> Reply-To: Mime-Version: 1.0 Return-path: List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: James Kelty , Geoff Torres Cc: linux-admin@vger.kernel.org The is a number of password generations programs on http://freshmeat.net, One I tinkered with is passwdgen. The problem with really good password, you cann't remember them :) I've worked at a few sites where secrure tokens were used, at least for the root accounts. David ---------- Original Message ---------------------------------- From: Geoff Torres Date: Fri, 28 Jun 2002 15:10:27 -0700 >Hi, > >I'm not familiar with shadow-utils, but I can tell you that "B1u3 K@t!" >is not particularly sturdy from a password cracking viewpoint. The idea >of using numbers to represent letters is well known and used by cracking >algorithms. >1=l, 3=e, @=a, K=c, both blue and cat are dictionary words. > >Now I agree with you that nobody will likely guess that password, but a >computer would if given access to your shadow file. > >Most password checking algorithms assume that you have a publicly >viewable passwd (encrypted) field. They don't care if you're using a >shadow file or not. > >It's really your call as to how deep you want to take password >management. How important is the data or system that it is that you're >trying to protect? How accessible is the box? Are your users smart >enough to not use easily guessable (by a human) passwords? It's all a >balance between security of your assets and productivity of your users. >>>From a user viewpoint, a complicated password is a pain to manage. They >start writing them down or other equally stupid work-a-rounds. > >We're in a lab behind a firewall. We're just happy that the engineers >even use passwords. :-) > >Geoff > >> >> Hello, >> >> I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far >> the prompt to change the password works, but it does not want to accept ANY >> new password. Even the real sturdy passwords like B1u3 K@t! . The system >> complians that they are too simple. Now, while I agree that simple passwords >> are NOT good, there has to be something reasonable here. How can I fix this? >> >> Thanks! >> >> -James >> >> James Kelty >> Sr. Unix Systems Administrator >> Everbase Systems, LLC >> 541.488.0801 >> jamesk@everbase.net >> >> - >> To unsubscribe from this list: send the line "unsubscribe linux-admin" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >- >To unsubscribe from this list: send the line "unsubscribe linux-admin" in >the body of a message to majordomo@vger.kernel.org >More majordomo info at http://vger.kernel.org/majordomo-info.html >