Re: expired passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> You type in an account name and immediately get told that the password
> has expired?
> This is a security flaw, as it immediately exposes the fact that you 
> have typed in a valid account name (you could be anyone trying to
> login). 

Expiring passwords is a security flaw in itself.

Not expiring passwords is fine (i.e. always using the same one on a
system), if nobody else has cracked it.  It's just as easy for them to
crack one password as it is another.

Expiring them pushes users into trying to come up with something that
they can remember, and they'll probably forget passwords if they have to
keep on changing them.  Then they'll write them down...  Either way,
this password can still be cracked, changing it didn't make cracking it
any harder.

It's not like in the movies, where you can work on cracking a password,
step by step.  You either crack it in one go, or you don't.  You don't
get clues.  Even progressively stepping through a large dictionary
doesn't help, the cracker doesn't know if yesterday's failed attempts
will fail again, or might be worth trying today.  They don't know if
you're using the same passwords, or not.

Better security is:  Disallowing the setting of stupid passwords in the
first place (yes, forbid it, don't just warn against it).  Alerts that
cracking attempts seem to being done, and prompt lockouts during the
attempts.  Alerts should go to the owner and admins when passwords have
changed.

It strikes me that a detected cracking attempt on a Linux server should
start dinging the motherboard bell, rather than just silently handling
it.  You want an admin to look up and check why the computer's alarmed
about something, straight away.  Rather than discover some problem, long
since it happened, as you peruse daily log watch reports.

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux