[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password leaks are security holes

A. Dreyer un jour écrivit:
On Thu, 28 Aug 2008, Johan Walles wrote:

Anyway root already has the capability to view passwords
(i.e. by installing alternate login programs, sniffing tty, ...)

That's obviously true, but that doesn't cover the case when logs are copied to a second system with sysadmins that doesn't have access to the first server. And if someone use the standard 514 syslog port instead of using an SSL tunnel or the newer syslog-tls on port 601, well you get cleartext password on the wire (yes, people sometime make stupid mistakes).

Personally, I would prefer never to see password stored in clear text anywhere, whatever the file permissions are. And If I really want to still see them, I certainly won't complain if all I have to do is make a small change to the default configuration file, telling the system that I know what I am doing.

That doesn't mean Debian should *help* root doing that in a default
install.  Security by default, anybody?

I think that everybody agrees that the default behaviour should be the most secure for most people, unless we have a very good reason to do otherwise. What some doesn't agree on is what is the most secure behaviour.

I can see a point in logging *valid* usernames.  Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.

And you do you figure out if you are under attack?

Many failed connections, usually from the same IP with a few existing account in the lot, usually completelly unrelated account names (so easy to differentiate from someone that forgot the exact spelling of his/her account name).

Realistically, there is very few cases were seeing the non existent account names is essential to detect an attack, and even when that happens, I am not sure that you would always realize that you are attacked.

The very few companies that follows well enought their logs to be able to detect more attacks by allowing logging what is potentially a password are probably willing to change their configuration anyway.

  For most people, writting "unknown account" is a better security practice.

When I see that someone is obviously trying "default" system usernames
I know there is an attack going on, if I only see that there have been
10 invalid login requests this could also be the CEO coming back from
his 2 month vacation...

Would he types in 10 times in a row his password instead of his username? I don't believe It.

If he just try to remember his password, then you will see 10 failed login attempt to his account before succeding or requesting a new password. If he tries to remember his username, then It is usually very easy to differentiate that from a real attack, even without seeing the username.

Common sense:
If you have accidentally typed in your password on the login prompt,
login immediately and change the password!
We shouldn't encourage people to continue using possibly compromised
passwords. If they compromise it, they are responsible to change it
immediately or to get the account locked!!

They usually don't even understand that their password is potentially compromised. And if the password is not put in a log files, and that nobody saw their screen, they are actually right, which is good.

And even if they know, most will hate to have to learn a new password, and avoid changing It if they can.

This should be in your (computer use) company policy.

A company policy that most people won't follows anyway. Just like asking people to use different password for each account. And if you configure the system to prevent them from using similar password for each account, or one similar to a past password, or if they are forced to change their password too often (possibly because they sometime put their password in the user field) then they start writting down the password somewhere they think nobody will find It, even if It is forbiden by policy.

  Policy won't change human nature, sorry.

Simon Valiquette

Reply to: