Cyrano.De@f111.n125.z1.FIDONET.ORG (Cyrano De) (06/07/91)
Forgive me for jumping in mid-stream, but why would a person want to keep changing passwords? I'm not being fasicious (is that *darn* word spelled right?), just naive and paranoid (both at once!). -- Cyrano De - via FidoNet node 1:125/777 UUCP: ...!uunet!hoptoad!fidogate!111!Cyrano.De INTERNET: Cyrano.De@f111.n125.z1.FIDONET.ORG
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/12/91)
In article <14907.28501E2D@fidogate.FIDONET.ORG> Cyrano.De@f111.n125.z1.FIDONET.ORG (Cyrano De) writes: >Forgive me for jumping in mid-stream, but why would a person want to keep changing passwords? I'm not being fasicious (is that *darn* word spelled right?), just naive and paranoid (both at once!). > Well, I can't tell if you meant "facetious" or "fascist" but I'll give you credit for not being either one! :) The main reason for changing passwords is that eventually, your password may fall into the wrong hands without your knowing it. A common trick is to obtain copies of /etc/passwd files from UNIX systems. The passwords on them are encrypted, but password-guessing programs (relatively slow) can be used to crack some of them. I happen to know that a rather out-of-date copy of the /etc/passwd file from one of my machines has fallen into unauthorized hands. We change our passwords often enough that this file is now worthless, though it is still circulating. In the "cracker" community it is not uncommon to be given passwords that are five years old, or so I hear. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
stanton@lurch.stanford.edu (Scott Stanton) (06/14/91)
On a related topic: I've seen several articles here which mention "shadow password files". Could some kind soul explain the meaning of this term? Thanks. -- --Scott Stanton (stanton@cs.stanford.edu) --
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/14/91)
A shadow password file is a second /etc/passwd hidden in some special place and accessible only to the login program. The regular /etc/passwd (needed to determine file ownership, etc.) then doesn't have any passwords in it, not even encrypted ones. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
cosell@bbn.com (Bernie Cosell) (06/14/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: }In article <14907.28501E2D@fidogate.FIDONET.ORG> Cyrano.De@f111.n125.z1.FIDONET.ORG (Cyrano De) writes: }>Forgive me for jumping in mid-stream, but why would a person want to keep changing passwords? I'm not being fasicious (is that *darn* word spelled right?), just naive and paranoid (both at once!). }> }The main reason for changing passwords is that eventually, your password }may fall into the wrong hands without your knowing it. A common trick }is to obtain copies of /etc/passwd files from UNIX systems. The passwords }on them are encrypted, but password-guessing programs (relatively slow) }can be used to crack some of them. Yeah, but this is really muddle-headed reasoning, and in fact even the rainbow book on password maintenance is annoyingly non-logical about it. Generally, security considerations must flow from an evaluation of the threat, the cost of the change, the cost of a penetration, etc. In this case, there is this big non-quantifiable "article of faith": that one should pick some interval, totally at random as far as I can tell, and compel folks to change their passwords at least that often. Unlike other security matters [e.g., length of the password, or disallowing words from /usr/dict/words and such], there is apparently no way, and no need, to justify the interval chosen... would changing twice as often be more prudent? would changing only half as often be an unacceptable risk? As we move to a world where security *ought*to* ever more be based on real, concrete analysis, I find myself more and more skeptical of doing things based on vague fears [and then doing them based NOT on an engineering analysis, but rather on doing them 'enough' to assuage the discomfort of the administrators] seems like a lousy way to be approaching the whole matter of computer security... /Bernie\
mcovingt@athena.cs.uga.edu (Michael A. Covington) (06/15/91)
You're quite right, password change intervals are problematic. If passwords are required to be changed too often, it leads people to choose excessively easy-to-guess passwords so they'll be easy to remember. My own practice is to use very obscure passwords, and change them only when I have some suspicion that their secrecy has been compromised. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------
newsham@wiliki.eng.hawaii.edu (Timothy Newsham) (06/15/91)
>I happen to know that a rather out-of-date copy of the /etc/passwd file >from one of my machines has fallen into unauthorized hands. >We change our passwords often enough that the file is now worthless. There's a better way to protect yourself from /etc/passwd vandals than just changing the passwords on a regular basis. I'm sure you under- stand how most folks don't like to change their passwords often since they consider it too big a hassle to justify the security measure. Just make them pick a good password and then they won't have to change it anymore if they don't want to. COPS and other such password hackers (like the ones in Phrack and LOD Tech Journal) work because people simply pick stupid passwords. COPS and the like first search for pass- words that are identical to the login name. Then the hacking program goes on to try variations on the name that corresponds with the account. For example, consider account login joe, real name John Doe. The pass hacker would try joe, john, doe, johndoe, doejohn, nhoj, eod, eodnhoj, nhojeod, eoj, etc. If variations on the name doesn't work, the password hacker, if configured to do so, would go on to try every word in the dictionary. Most hackers don't go as far as trying the dictionary, since it takes weeks to compare every login with every word in the dictionary. Besides, just comparing names usually results in a few broken accounts. That's all any hacker wants or needs. So, as Cliff Stoll always preaches, practice safe computing by choosing a password not in the dictionary, or pick a password of more than one word, or pick a word and throw in a few punctuation marks. That way it would take a Cray Supercomputer and a lot of luck to pentrate your account. And you won't have to keep changing your password (unless you use the same password on more than one system...but that's another lecture)
cks@hawkwind.utcs.toronto.edu (Chris Siebenmann) (06/20/91)
newsham@wiliki.UUCP (Timothy Newsham) writes: | If variations on the name doesn't work, the password hacker, if | configured to do so, would go on to try every word in the dictionary. | Most hackers don't go as far as trying the dictionary, since it takes | weeks to compare every login with every word in the dictionary. This used to be the case, but both machines and password encryptors have been slowly speeding up. I believe the last time I measured things, I could manage about 450 encryptions/sec on a DECStation 3100 (about 14 MIPS, I think) with a program written (smartly) in C; I have reports of significantly faster algorithms using hand-optimized assembler. Combine this with several of the new HP Snake workstations (70-odd MIPS, I believe) and you have bad news. -- "Andrew is so incredibly reliable that almost any printing command will work, as long as it is long and complex enough..." - Nathaniel Borenstein cks@hawkwind.utcs.toronto.edu ...!{utgpu,utzoo,watmath}!utgpu!cks
wcs) (06/28/91)
In article <64654@bbn.BBN.COM> cosell@bbn.com (Bernie Cosell) writes:
] } The main reason for changing passwords is that eventually, your password
] } may fall into the wrong hands without your knowing it.
] Yeah, but this is really muddle-headed reasoning, and in fact even the
] rainbow book on password maintenance is annoyingly non-logical about it.
] ... Unlike other security matters [e.g., length of the password, or
] disallowing words from /usr/dict/words and such], there is apparently
] no way, and no need, to justify the interval chosen... would changing
Perhaps the standard 3 months is the expected time until the average
Joe Army user loses the yellow-sticky that he wrote the password on?
--
Pray for peace; Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
# No, that's covered by the Drug Exception to the Fourth Amendment.
# You can read it here in the fine print.