Date: Fri, 23 Feb 1996 10:35:30 -0500 (EST) From: Rashid Karimov <rashid@rk.ios.com> To: taob@io.org (Brian Tao) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Informing users of cracked passwords? Message-ID: <199602231535.KAA08081@rk.ios.com> In-Reply-To: <Pine.BSF.3.91.960223040346.18637J-100000@zip.io.org> from "Brian Tao" at Feb 23, 96 04:11:14 am
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there folx, > > What is generally the best approach to handling a situation in an > ISP where a large of number of users (e.g., over 1000) are found to > have vulnerable passwords? Oh boy ! :) It happens all the time - some clients ( probably 3-4%) who know how to use passwd program , have access to the shell and don;t realize the vulnerability they get by using weak passwords - just change it - to the most popular ones. Happens all the time. I remember passwd program on SCO - that was really perfect thing! Admin could force users to change passwds regularly( bad for ISP), make him use only _generated passwords , old passwords and their variation couldn't be used also. Expiration is definitely not the way to go - since a lot of clients use shell _very occasionally , and what will happen is they won't be able to use POP3 ( precious Eudora :), ftp will fail etc. > > We ran Crack on our master.passwd for a week or so, and after the > dust settled, over 1700 accounts were exposed. This is what we did: > > 1) Gave no warning to our users (we didn't want to alert hackers to > our crackdown on bad passwords) > > 2) Installed a new passwd binary linked with libcrack > > 3) Expired all affected passwords and set home directories to mode > 000 (mainly to deny access to the .rhosts file and public_html > directory > > 4) Required that new passwords be provided via voice call to our > customer support desk > > From previous discussions in security-related newsgroups, I am > under the impression that the best policy for a public-access site > is a clean sweep like this. No warning off the impending cut-off > date, and force the user to specify a better password. Looks like the way to go with 1000 accounts. Is there a passwd program which will force person to use one of the generated passwords ? I think it would be very useful ... Rashid
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602231535.KAA08081>