From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OjPxd-0003At-Cx for garchives@archives.gentoo.org; Thu, 12 Aug 2010 05:04:16 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 461A3E08A8 for ; Thu, 12 Aug 2010 05:04:11 +0000 (UTC) Received: from mail-gy0-f181.google.com (mail-gy0-f181.google.com [209.85.160.181]) by pigeon.gentoo.org (Postfix) with ESMTP id A1757E07D6 for ; Thu, 12 Aug 2010 04:30:26 +0000 (UTC) Received: by gyf1 with SMTP id 1so403124gyf.40 for ; Wed, 11 Aug 2010 21:30:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=N3TLQ60o4mF/WUyOAHWu067jfYUcl63dGGJ0QWFN4Zk=; b=vDoUiG8z4IzJhNcAmoXdoOXkLbcw11CgELbKTsNsONTOIPS5G1P83TSYLF10CmWUbS gKqEvr78zIQIRt814H00KeQFQn5TO9T9cohj1qJU7JAPZWDeNP3mjMp1Et2+jKztbLrc QO6ogVEwkFnq+H8y3gOElektF4KTmbaGdWjfM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Ax9HcgNesLkJVB/W5jd4oHP9+JqxiSFqsnidie4A4OwFZxVqj+Mr+bV2O4wYyGqWXP cncIya+B8mk57JSmrJwH7Mt3qJc77SPH34PB2gbI5xJj7qgdiQ1+8hTiti6nhXT2R2wx FJJk+wIMipsD60nochqAm02Gr8U6gE4A2Ajog= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.151.63.25 with SMTP id q25mr22733975ybk.182.1281587426283; Wed, 11 Aug 2010 21:30:26 -0700 (PDT) Received: by 10.150.211.13 with HTTP; Wed, 11 Aug 2010 21:30:26 -0700 (PDT) In-Reply-To: <201008120109.58521.alan.mckinnon@gmail.com> References: <201008112230.26977.alan.mckinnon@gmail.com> <4C632000.7020800@gmail.com> <201008120109.58521.alan.mckinnon@gmail.com> Date: Wed, 11 Aug 2010 21:30:26 -0700 Message-ID: Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords From: Bill Longman To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=000e0cd591e44ad1dc048d98d354 X-Archives-Salt: e47bf724-ed1f-4229-8b28-6f64df6e6544 X-Archives-Hash: 360a5f13e3cbeb50ec62125a72a16cd7 --000e0cd591e44ad1dc048d98d354 Content-Type: text/plain; charset=UTF-8 On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon wrote: > On Thursday 12 August 2010 00:11:12 Bill Longman wrote: > > On 08/11/2010 01:30 PM, Alan McKinnon wrote: > > > I refuse to implement password expiration policies and have a vast > array > > > of literature to back me up when some dimwit damager gets on his > > > expiration high horse. > > > > > > My users pick their own passwords - I present a list of 5 from apg and > > > let them pick one. Accounts do expire if they go unused for 90 days, > but > > > not passwords. > > > > > > What put me onto this policy? I found Gartner recommending password > > > expiration. I find the best security possible is always the opposite of > > > what Gartner says. Discovering how the AD admins in the company go > about > > > their jobs was the convincing straw :-) > > > > The bigger buggerboo I see is the "password complexity" [il]logic. > > There's this vapid requirement of all these different types of > > characters needed in one's password, yet the thing you really want to > > enforce is adequate entropy. If my password is an entire sentence, it > > will not be brute-forced, even if I used just ASCII A-z. There's just > > too much key space in 4.7^32. At 10^5 attempts per second, you're likely > > to find the answer in half a billion years. I hope your keyboard still > > works, let alone exists.... > > Your reasoning makes sense, until you consider password length limits > imposed > by machines. > > Cisco routers authenticating via Tacacs for instance often support nothing > more than DES hashing . The hash routines accept up to 10 characters > for > a password but only use the first 8 to calculate the hash. > > There are Solaris version nowhere near EOL yet that have similar limits. > > All this makes my life as a system integrator cum authenticate go-to guy > very > tricky indeed. Luckily management tends to say "Just do what Alan says. It > makes him shut up and go away". > > :-) > > p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates > in 5 > letters something that takes paragraphs any other way. I shall make a note > for > future use. > > -- > alan dot mckinnon at gmail dot com > > Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN in your login.defs file and are still relying on the back end's ability to safely store your passwords in DES format, well, you're in trouble. --000e0cd591e44ad1dc048d98d354 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Wed, Aug 11, 2010 at 4:09 PM, Alan Mc= Kinnon <ala= n.mckinnon@gmail.com> wrote:
On Thursday 12 August 2010 00:11:12 Bill = Longman wrote:
> On 08/11/2010 01:30 PM, Alan McKinnon wrote:
> > I refuse to implement password expiration policies and have a vas= t array
> > of literature to back me up when some dimwit damager gets on his<= br> > > expiration high horse.
> >
> > My users pick their own passwords - I present a list of 5 from ap= g and
> > let them pick one. Accounts do expire if they go unused for 90 da= ys, but
> > not passwords.
> >
> > What put me onto this policy? I found Gartner recommending passwo= rd
> > expiration. I find the best security possible is always the oppos= ite of
> > what Gartner says. Discovering how the AD admins in the company g= o about
> > their jobs was the convincing straw :-)
>
> The bigger buggerboo I see is the "password complexity" [il]= logic.
> There's this vapid requirement of all these different types of
> characters needed in one's password, yet the thing you really want= to
> enforce is adequate entropy. If my password is an entire sentence, it<= br> > will not be brute-forced, even if I used just ASCII A-z. There's j= ust
> too much key space in 4.7^32. At 10^5 attempts per second, you're = likely
> to find the answer in half a billion years. I hope your keyboard still=
> works, let alone exists....

Your reasoning makes sense, until you consider password length = limits imposed
by machines.

Cisco routers authenticating via Tacacs for instance often support nothing<= br> more than DES hashing <yuck>. The hash routines accept up to 10 chara= cters for
a password but only use the first 8 to calculate the hash.

There are Solaris version nowhere near EOL yet that have similar limits.
All this makes my life as a system integrator cum authenticate go-to guy ve= ry
tricky indeed. Luckily management tends to say "Just do what Alan says= . It
makes him shut up and go away".

:-)

p.s. dig the use of "vapid". Wonderful word, truly splendid. Comm= unicates in 5
letters something that takes paragraphs any other way. I shall make a note = for
future use.

--
alan dot mckinnon at gmail dot com

Absolutely. If you do not change your ENCRYPT_MET= HOD or your PASS_MAX_LEN in your login.defs file and are still relying on t= he back end's ability to safely store your passwords in DES format, wel= l, you're in trouble.

--000e0cd591e44ad1dc048d98d354--