Found, a new rootkit

Mike McCarty Mike.McCarty at sbcglobal.net
Tue Apr 4 05:46:26 UTC 2006 

John Summerfield wrote:
> Craig White wrote:
> 
>>
>> it's actually the fault of the admins who don't use any password
>> checking mechanisms, but I suppose that it's more feasible to blame
>> stupid users...of course, I would never do such a thing  ;-)
> 
> 
> There is quite a deal of well-reasoned debate about what constitutes a 
> good password.

Should not be all letters.
Should include at least one digit.
Should include at least one "special" character.
Should not include non-graphic characters (like CR, LF, CTRL-A).
Should be at least 6 and preferably over 8 characters long.
Should be "rememberable".
Should *not* be written down anywhere.

> First, one needs to be able to remember it without writing it down. This 
> meets Windows AD complexity requirements,

Very easy to do, and yet generate "random" letters.

tbatstdgagitw

is one which I would find very easy to remember, for example. Each
letter is the first letter of a word from a sentence I would find
very easy to recall. This particular one is *not* one I would
recommend, as it is one which might very well be tested.[1]

> 10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
> 
> but I defy anyone to remember it any time soon!
> 
> "bismcoles" would probably be easy for Bill Smith to remember, and would 
> certainly defy any dictionary attack. As would "bluewatermelon."

Neither of these is one I would recommend, and I consider the
"bismcoles" to be especially weak. Passwords containing anagrams of user
names are one of the things I thought of back when I wrote my first
password cracker. If a complete novice can break those, then
anyone could.

> The expect package has a password generator that creates passwords like 
> this, but again they're hard to remember: "et3tUfGd."
> 
> 
> A reasonable security system would shut down the login process for a 
> time after some number of consecutive failed login attempts. It's a rule 
> that's been around for a long time, it's even in Linux, but implemented 
> poorly.

I have indeed written just such programs for telephone switches.
One of them *permanently* disabled logins from the terminal
with attempted compromises, requiring system supervisor manual
intervention to restore.

[1] 'Twas brillig, and the slithy toves did gyre and gimble in the wabe

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

More information about the fedora-list mailing list