Re: hacked - looking for doc/suggestions on hardening/securing systems from the start

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Allegedly, on or about 18 December 2013, Rick Stevens sent:
> 3. Make sure you enforce complex passwords and require them to be
> rotated at least every 90 days. 

I take issue with the continually changing passwords idea.

If you get hacked, changing the password after the event is too late.
And if they installed a backdoor, changing your password will be
completely pointless.

If you haven't been hacked, you're just making life harder for yourself,
trying to remember all these passwords.  Or making things less secure,
because you have to write them down.

A reasonably good password can't be guessed, or likely to be got at by a
dictionary attack without attracting attention.  i.e. Even if my
password was simply just the word, "red," how many guesses, out of all
the possible words in a dictionary, would it take to guess it?  You
can't partially crack it, like in the movies where they show that three
letters in a password have been correctly guessed, it's complete
pass/fail.  Trying to find the right password has just got to be
detectable.  And the chances of someone guessing that my password might
be "purplepolkadotsonmydog" are next to infinitely impossible.  You'd
have to guess what words, and in what order.  Of course, completely
stupid passwords ("password", "remember", the username logon repeated as
the password) might be guessed in the first few attempts, as the first
attack words on the list to try.

You really need something that detects attempt to crack passwords,
responds appropriately to thwart the attacks while they happen, and
immediately notifies you that an attempt is happening as it happens
(e.g. email to a separate system), so you know to check, and the
notification isn't stored on somewhere that will be deleted during the
attack.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux