Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Feb 96 09:22:49 -0800
From:      Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Brian Tao <taob@io.org>
Cc:        FREEBSD-SECURITY-L <freebsd-security@FreeBSD.org>
Subject:   Re: Informing users of cracked passwords?  
Message-ID:  <199602231722.JAA27776@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Fri, 23 Feb 96 04:11:14 EST." <Pine.BSF.3.91.960223040346.18637J-100000@zip.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Brian Tao <taob@io.org> wrote:
>     What is generally the best approach to handling a situation in an
> ISP where a large of number of users (e.g., over 1000) are found to
> have vulnerable passwords?
> 
>     We ran Crack on our master.passwd for a week or so, and after the
> dust settled, over 1700 accounts were exposed.  This is what we did:
> 
> 1)  Gave no warning to our users (we didn't want to alert hackers to
>     our crackdown on bad passwords)
> 
> 2)  Installed a new passwd binary linked with libcrack
> 
> 3)  Expired all affected passwords and set home directories to mode
>     000 (mainly to deny access to the .rhosts file and public_html
>     directory

One could use TCP/Wrapper to restrict the effectiveness of "r" commands to hosts 
that you trust thereby negating any entries users have put in their .rhosts 
files of hosts that you don't trust.

> 
> 4)  Required that new passwords be provided via voice call to our
>     customer support desk
> 
>     From previous discussions in security-related newsgroups, I am
> under the impression that the best policy for a public-access site
> is a clean sweep like this.  No warning off the impending cut-off
> date, and force the user to specify a better password.
> 
>     Does anyone have any counter-advice to the above method?
> --
> Brian Tao (BT300, taob@io.org)
> Systems Administrator, Internex Online Inc.
> "Though this be madness, yet there is method in't"
> 
> 


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602231722.JAA27776>