Found, a new rootkit
Mike McCarty
Mike.McCarty at sbcglobal.net
Tue Apr 4 05:46:26 UTC 2006
John Summerfield wrote:
> Craig White wrote:
>
>>
>> it's actually the fault of the admins who don't use any password
>> checking mechanisms, but I suppose that it's more feasible to blame
>> stupid users...of course, I would never do such a thing ;-)
>
>
> There is quite a deal of well-reasoned debate about what constitutes a
> good password.
Should not be all letters.
Should include at least one digit.
Should include at least one "special" character.
Should not include non-graphic characters (like CR, LF, CTRL-A).
Should be at least 6 and preferably over 8 characters long.
Should be "rememberable".
Should *not* be written down anywhere.
> First, one needs to be able to remember it without writing it down. This
> meets Windows AD complexity requirements,
Very easy to do, and yet generate "random" letters.
tbatstdgagitw
is one which I would find very easy to remember, for example. Each
letter is the first letter of a word from a sentence I would find
very easy to recall. This particular one is *not* one I would
recommend, as it is one which might very well be tested.[1]
> 10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
>
> but I defy anyone to remember it any time soon!
>
> "bismcoles" would probably be easy for Bill Smith to remember, and would
> certainly defy any dictionary attack. As would "bluewatermelon."
Neither of these is one I would recommend, and I consider the
"bismcoles" to be especially weak. Passwords containing anagrams of user
names are one of the things I thought of back when I wrote my first
password cracker. If a complete novice can break those, then
anyone could.
> The expect package has a password generator that creates passwords like
> this, but again they're hard to remember: "et3tUfGd."
>
>
> A reasonable security system would shut down the login process for a
> time after some number of consecutive failed login attempts. It's a rule
> that's been around for a long time, it's even in Linux, but implemented
> poorly.
I have indeed written just such programs for telephone switches.
One of them *permanently* disabled logins from the terminal
with attempted compromises, requiring system supervisor manual
intervention to restore.
[1] 'Twas brillig, and the slithy toves did gyre and gimble in the wabe
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list