From owner-freebsd-security Fri Feb 23 07:36:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA15629 for security-outgoing; Fri, 23 Feb 1996 07:36:05 -0800 (PST) Received: from rk.ios.com (rk.ios.com [198.4.75.55]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA15597 for ; Fri, 23 Feb 1996 07:35:59 -0800 (PST) Received: (from rashid@localhost) by rk.ios.com (8.6.11/8.6.9) id KAA08081; Fri, 23 Feb 1996 10:35:30 -0500 From: Rashid Karimov Message-Id: <199602231535.KAA08081@rk.ios.com> Subject: Re: Informing users of cracked passwords? To: taob@io.org (Brian Tao) Date: Fri, 23 Feb 1996 10:35:30 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Brian Tao" at Feb 23, 96 04:11:14 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG Precedence: bulk Hi there folx, > > What is generally the best approach to handling a situation in an > ISP where a large of number of users (e.g., over 1000) are found to > have vulnerable passwords? Oh boy ! :) It happens all the time - some clients ( probably 3-4%) who know how to use passwd program , have access to the shell and don;t realize the vulnerability they get by using weak passwords - just change it - to the most popular ones. Happens all the time. I remember passwd program on SCO - that was really perfect thing! Admin could force users to change passwds regularly( bad for ISP), make him use only _generated passwords , old passwords and their variation couldn't be used also. Expiration is definitely not the way to go - since a lot of clients use shell _very occasionally , and what will happen is they won't be able to use POP3 ( precious Eudora :), ftp will fail etc. > > We ran Crack on our master.passwd for a week or so, and after the > dust settled, over 1700 accounts were exposed. This is what we did: > > 1) Gave no warning to our users (we didn't want to alert hackers to > our crackdown on bad passwords) > > 2) Installed a new passwd binary linked with libcrack > > 3) Expired all affected passwords and set home directories to mode > 000 (mainly to deny access to the .rhosts file and public_html > directory > > 4) Required that new passwords be provided via voice call to our > customer support desk > > From previous discussions in security-related newsgroups, I am > under the impression that the best policy for a public-access site > is a clean sweep like this. No warning off the impending cut-off > date, and force the user to specify a better password. Looks like the way to go with 1000 accounts. Is there a passwd program which will force person to use one of the generated passwords ? I think it would be very useful ... Rashid