From owner-freebsd-security  Wed Jun 19 10: 1:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id 89CF837B413
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 Jun 2002 10:01:12 -0700 (PDT)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JH16916346;
	Wed, 19 Jun 2002 11:01:07 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Wed, 19 Jun 2002 11:01:06 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Klaus Steden <klaus@compt.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Password security
In-Reply-To: <20020619013603.O99167@cthulu.compt.com>
Message-ID: <20020619104812.W14256-100000@ren.sasknow.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Klaus Steden wrote to Ryan Thompson:

> In the meantime, you could crack them on a regular basis for them.
> John the Ripper does a pretty good job of my password files, with a
> dictionary of about 6 million odd words.

Done that. About 10% of the passwords fell within the first 10
minutes. After 36 hours on a PII-400MHz machine, I had done only a
little better than that. That's probably *better* than many systems,
but as long as one staff member's account can be easily compromised, I
won't take much comfort in being "more secure" than the next network.
:-)

Ironically, our untrained customers seem to be at least as good as our
trained staff members at choosing secure passwords. Knowledge and
practice are clearly two orthogonal axes. :-)

So, that's why I'm making an effort to mandate stronger passwords for
staff members. (Customers are limited to chroot()'d FTP logins only,
and staff members can be trained and encouraged to follow directions.
:-)

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901 1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-664-3630   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message