shell script

Steve Phillips steve at focb.co.nz
Mon Apr 7 16:01:57 UTC 2008 

mark wrote:
> Ok, I've never had to create a thousand new users....
> 
> Paul M. Whitney wrote:
>> In that wrapper script, you could also generate a changeme type password but
>> also append some unique character to each one such as first and last letter
> 
> Or the student's ID would work (unless the college uses SSN (WHICH THEY SHOULD
> NOT), in which case it's back to generating one.

Sorry to be pedantic but..

Student ID ? easy to get - 'hi, whats your student ID number ?' or 'hey, 
can I see your student ID card', people don't treat these things as 
'private' and if you are using this as a first time password, it would 
be relatively trivial to crack if someone were determined.

And appending a couple of characters ? it would take seconds for a 
dictionary bash to go through every possible combination, and while this 
_may_ show up in the logs, how often do you sit at your desk simply 
watching logs scroll, I am guessing you have real work to do.

>> in the user login or append the UID to the password. However you approach
>> it, you can still use the convention of creating multiple cookie-cutter
>> passwords, but also give them "some" uniqueness to "lessen" account
>> compromise. 

as soon as you work out a password 'system' then someone can reverse 
engineer it and exploit it, completely random, changed on first login, 
alpha numeric with special characters and at least 8 characters long.

pair them with the username in a file somewhere, print them out, cut the 
resulting print out up and hand them to the students when they first 
arrive. If the student cant find it within themselves to type 8 
characters on a keyboard when they first arrive then they don't deserve 
to use the computers.

>>
>> Also, you may want to automatically lock any account that is not used in
>> some fixed amount of days such as 30/45/60 so something like that. 
> 
> For a college, I'd think 15 or 20 days.

This has little to do with assisting in preventing account compromises 
as most accounts would be compromised within the 15 day period :-)

Can still be a good idea at times tho just to assist in system cleanup - 
be careful tho that the system is turned off over the break periods :-)

-- 
Steve.

More information about the redhat-list mailing list