From owner-freebsd-questions  Thu Feb 26 16:14:22 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA01495
          for freebsd-questions-outgoing; Thu, 26 Feb 1998 16:14:22 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from shark.nas.nasa.gov (shark.nas.nasa.gov [129.99.34.41])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01467
          for <questions@FreeBSD.ORG>; Thu, 26 Feb 1998 16:14:01 -0800 (PST)
          (envelope-from edavis@shark.nas.nasa.gov)
Received: from shark.nas.nasa.gov (edavis@localhost)
	by shark.nas.nasa.gov (8.8.7/NAS8.8.7) with ESMTP id QAA20942;
	Thu, 26 Feb 1998 16:13:38 -0800 (PST)
Message-Id: <199802270013.QAA20942@shark.nas.nasa.gov>
X-Mailer: exmh version 2.0.1 12/23/97
To: LOlayiwola <LOlayiwola@aol.com>
cc: questions@FreeBSD.ORG
Subject: Re: Unix System Security 
In-reply-to: miker's message of Thu, 26 Feb 1998 19:30:06 -0400.<Pine.BSF.3.96.980226191718.12794A-100000@scifair.acadiau.ca> 
Date: Thu, 26 Feb 1998 16:13:37 -0800
From: "Eric A. Davis" <edavis@nas.nasa.gov>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Thu, 26 Feb 1998 19:30:06 -0400 (AST) Michael Richards wrote
>> 2) How could I as a security advisor advise a network administrator to cater
>> for this security problem.
>One important thing is to educate the users. Have them pick good
>passwords. Something like foobar is not a good password, nor is 555-2344,
>or julie. People who don't know any better commonly choose passwords like
>this. Take person X, he is going out with someone named Julie, and his
>phone number is 555-2344. Not hard to guess his password.
>If the cracker is able to get the passwd file they can run something
>called a dictionary crack on it. That involves going through the
>dictionary and trying permutations of words and numbers and trying them
>against the users. Someone with a bad password may match one of the
>program's guesses.
>A password like: 3%gP)3s would be a good one because it is not
>pronouncable, an english word it is not, hence there is little chance of a
>dictionary crack getting it. Also, if someone saw the 1st 3 characters,
>they couldn't guess the rest. Juli, if you knew the person would be an
>easy guess.
>

To combat against users choosing bad passwords you should install a 'passwd'
app that pro-actively checks the password.  That is, checks the password's 
integrity before it is changed.  Some excellent 'passwd' apps are Eppaswd,
passwd+, and npasswd.  The Epasswd homepage also has some good statistics
about password permutations.

http://www.nas.nasa.gov/~edavis/epasswd/

- eric

-- 
     Eric Allen Davis        Network Engineer
     edavis@nas.nasa.gov     NASA Ames Research Center 
     Voice: (415)604-2543    NAS Systems Division
     Pager: (415)428-6931    http://www.nas.nasa.gov/~edavis


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message