From owner-freebsd-security Tue Jun 18 22:36:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 3EC7237B40C for ; Tue, 18 Jun 2002 22:36:09 -0700 (PDT) Date: Wed, 19 Jun 2002 01:36:04 -0400 From: Klaus Steden To: Ryan Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security Message-ID: <20020619013603.O99167@cthulu.compt.com> References: <20020618204711.I65632-100000@ren.sasknow.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Jun 18, 2002 at 10:06:10PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > My staffers are using plain old passwords for logins. ALL logins are > via SSH from various platforms, using passwords. Some are logging in > from Windows clients that don't support much else. And, on the > security/convenience continuum, I won't have much of a network to > secure if nobody gets any work done. :-) > > I'm well aware of the inherent insecurity of what your average human > can remember. It's currently a weak link for us, so it is one aspect > of our security that I would like to improve. So, for the purposes of > this message, please assume all other avenues have been secured. ;-) > > So, given the limitations of remote access (from machines assumed to > be insecure), and some fairly dumb Windows clients, what are some > solutions to password security? > > The best I've come up with so far is to issue random passwords, from > an array of 68 possible characters (alpha num and some easily-typed > symbols). I issue two passwords for each user. One is short enough to > be remembered with a small effort (6 characters, entropy > 2^36, > assuming my randomizer is up to par). The second password is longer > (10 characters, > 2^60), and is designed to be printed on a small card > that the user carries with them like a token or a key. Obviously, you > could argue the merits of shorter vs. longer keys. My choices are > still quite arbitrary at this stage. New passwords would be issued at > regular intervals. (Remember, these are staff members. I can do that. > :-) > In the meantime, you could crack them on a regular basis for them. John the Ripper does a pretty good job of my password files, with a dictionary of about 6 million odd words. It's usually a bit of an eye-opener for someone to discover his 'highly secure' password staring at him when he opens his email. HTH, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message