Re: Debian Server restored after Compromise

To: debian-project@lists.debian.org
Subject: Re: Debian Server restored after Compromise
From: Filippo Giunchedi <filippo@debian.org>
Date: Fri, 14 Jul 2006 15:03:15 +0200
Message-id: <[🔎] 20060714130315.GA26678@esaurito.net>
Mail-followup-to: Filippo Giunchedi <filippo@debian.org>, debian-project@lists.debian.org
In-reply-to: <[🔎] 20060713181827.GA4595@localhost.localdomain>
References: <20060713175452.GS1655@finlandia.home.infodrom.org> <[🔎] 20060713181827.GA4595@localhost.localdomain>

On Thu, Jul 13, 2006 at 08:18:27PM +0200, Bas Zoetekouw wrote:
> > An investigation of developer passwords revealed a number of weak
> > passwords whose accounts have been locked in response.
> 
> That's not good.  
> Should we maybe implement a stricter password policy?  Or maybe only
> allow pubkey ssh authentication?

I would go for periodically cracking passwords, ones found with weak password
will have their account locked.
Note also that having pubkey ssh keys without keyphrase is quite pointless and
(IMO) way more dangerous than weak login password.

filippo
--
Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

A child of five would understand this. Send someone to fetch a child of five.
-- Groucho Marx

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Debian Server restored after Compromise
  - From: Bas Zoetekouw <bas@debian.org>

Prev by Date: Re: Fundamental flaw in bug reporting system
Next by Date: Re: Debian Server restored after Compromise
Previous by thread: Re: Debian Server restored after Compromise
Next by thread: Re: RE : Re: Linux Magazin Germany, affecting Debian's image?!
Index(es):
- Date
- Thread