Password aging problem

Password aging problem

[James Kelty]

Hello,

I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far
the prompt to change the password works, but it does not want to accept ANY
new password. Even the real sturdy passwords like B1u3 K@t! . The system
complians that they are too simple. Now, while I agree that simple passwords
are NOT good, there has to be something reasonable here. How can I fix this?

Thanks!

-James


James Kelty
Sr. Unix Systems Administrator
Everbase Systems, LLC
541.488.0801
jamesk@everbase.net

Re: Password aging problem

[Geoff Torres]

Hi,

I'm not familiar with shadow-utils, but I can tell you that "B1u3 K@t!"
is not particularly sturdy from a password cracking viewpoint.  The idea
of using numbers to represent letters is well known and used by cracking
algorithms.
1=l, 3=e, @=a, K=c, both blue and cat are dictionary words.

Now I agree with you that nobody will likely guess that password, but a
computer would if given access to your shadow file.  

Most password checking algorithms assume that you have a publicly
viewable passwd (encrypted) field.  They don't care if you're using a
shadow file or not.

It's really your call as to how deep you want to take password
management.  How important is the data or system that it is that you're
trying to protect?  How accessible is the box?  Are your users smart
enough to not use easily guessable (by a human) passwords?  It's all a
balance between security of your assets and productivity of your users. 
From a user viewpoint, a complicated password is a pain to manage.  They
start writing them down or other equally stupid work-a-rounds.

We're in a lab behind a firewall.  We're just happy that the engineers
even use passwords.  :-)

Geoff

> 
> Hello,
> 
> I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far
> the prompt to change the password works, but it does not want to accept ANY
> new password. Even the real sturdy passwords like B1u3 K@t! . The system
> complians that they are too simple. Now, while I agree that simple passwords
> are NOT good, there has to be something reasonable here. How can I fix this?
> 
> Thanks!
> 
> -James
> 
> James Kelty
> Sr. Unix Systems Administrator
> Everbase Systems, LLC
> 541.488.0801
> jamesk@everbase.net
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Password aging problem

[James Kelty]

Actually! I figured out the problem, and it was the pam version. I had to
get the upgrade from RedHat, but it did work. So, at least they will once in
a while have to change the password.

We are behind a firewall as well, but not securing the passwords on dev
systems is just a bad idea. I can't think that the firewall will protect
ANYTHING, just slow people down a little. And, as most attacks ACTUALLY come
from inside the network that the firewall is 'protecting', then, you have to
take that into consideration as well.

I once had a bet with a developer that I could hack into his dev system
account in less than 20 minutes, and surprise surprise  I was able to
because of a weak password choice. While I agree that 'B1u3 K@t!' isn't the
best password in the world, it should have been, and would have been if not
for a bug, acceptable to pam.

So, onto password genarators!

Thanks guys!

-James

-----Original Message-----
From: linux-admin-owner@vger.kernel.org
[mailto:linux-admin-owner@vger.kernel.org]On Behalf Of James Kelty
Sent: Friday, June 28, 2002 2:46 PM
To: linux-admin@vger.kernel.org
Subject: Password aging problem


Hello,

I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far
the prompt to change the password works, but it does not want to accept ANY
new password. Even the real sturdy passwords like B1u3 K@t! . The system
complians that they are too simple. Now, while I agree that simple passwords
are NOT good, there has to be something reasonable here. How can I fix this?

Thanks!

-James


James Kelty
Sr. Unix Systems Administrator
Everbase Systems, LLC
541.488.0801
jamesk@everbase.net

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Password aging problem

[David Jackson]

The is a number of password generations programs on http://freshmeat.net,
One I tinkered with is passwdgen. 

The problem with really good password, you cann't remember them :)

I've worked at a few sites where secrure tokens were used, at least
for the root accounts.

David


---------- Original Message ----------------------------------
From: Geoff Torres <geoff@rosemail.rose.hp.com>
Date: 	Fri, 28 Jun 2002 15:10:27 -0700

>Hi,
>
>I'm not familiar with shadow-utils, but I can tell you that "B1u3 K@t!"
>is not particularly sturdy from a password cracking viewpoint.  The idea
>of using numbers to represent letters is well known and used by cracking
>algorithms.
>1=l, 3=e, @=a, K=c, both blue and cat are dictionary words.
>
>Now I agree with you that nobody will likely guess that password, but a
>computer would if given access to your shadow file.  
>
>Most password checking algorithms assume that you have a publicly
>viewable passwd (encrypted) field.  They don't care if you're using a
>shadow file or not.
>
>It's really your call as to how deep you want to take password
>management.  How important is the data or system that it is that you're
>trying to protect?  How accessible is the box?  Are your users smart
>enough to not use easily guessable (by a human) passwords?  It's all a
>balance between security of your assets and productivity of your users. 
>>From a user viewpoint, a complicated password is a pain to manage.  They
>start writing them down or other equally stupid work-a-rounds.
>
>We're in a lab behind a firewall.  We're just happy that the engineers
>even use passwords.  :-)
>
>Geoff
>
>> 
>> Hello,
>> 
>> I have a RH 7.1 box running with shadow-utils-20000826-4 version, and so far
>> the prompt to change the password works, but it does not want to accept ANY
>> new password. Even the real sturdy passwords like B1u3 K@t! . The system
>> complians that they are too simple. Now, while I agree that simple passwords
>> are NOT good, there has to be something reasonable here. How can I fix this?
>> 
>> Thanks!
>> 
>> -James
>> 
>> James Kelty
>> Sr. Unix Systems Administrator
>> Everbase Systems, LLC
>> 541.488.0801
>> jamesk@everbase.net
>> 
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>