Date: Wed, 19 Jun 2002 01:36:04 -0400 From: Klaus Steden <klaus@compt.com> To: Ryan Thompson <ryan@sasknow.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security Message-ID: <20020619013603.O99167@cthulu.compt.com> In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Jun 18, 2002 at 10:06:10PM -0600 References: <20020618204711.I65632-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > My staffers are using plain old passwords for logins. ALL logins are > via SSH from various platforms, using passwords. Some are logging in > from Windows clients that don't support much else. And, on the > security/convenience continuum, I won't have much of a network to > secure if nobody gets any work done. :-) > > I'm well aware of the inherent insecurity of what your average human > can remember. It's currently a weak link for us, so it is one aspect > of our security that I would like to improve. So, for the purposes of > this message, please assume all other avenues have been secured. ;-) > > So, given the limitations of remote access (from machines assumed to > be insecure), and some fairly dumb Windows clients, what are some > solutions to password security? > > The best I've come up with so far is to issue random passwords, from > an array of 68 possible characters (alpha num and some easily-typed > symbols). I issue two passwords for each user. One is short enough to > be remembered with a small effort (6 characters, entropy > 2^36, > assuming my randomizer is up to par). The second password is longer > (10 characters, > 2^60), and is designed to be printed on a small card > that the user carries with them like a token or a key. Obviously, you > could argue the merits of shorter vs. longer keys. My choices are > still quite arbitrary at this stage. New passwords would be issued at > regular intervals. (Remember, these are staff members. I can do that. > :-) > In the meantime, you could crack them on a regular basis for them. John the Ripper does a pretty good job of my password files, with a dictionary of about 6 million odd words. It's usually a bit of an eye-opener for someone to discover his 'highly secure' password staring at him when he opens his email. HTH, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020619013603.O99167>