Re: Password leaks are security holes
A. Dreyer un jour écrivit:
On Thu, 28 Aug 2008, Johan Walles wrote:
Anyway root already has the capability to view passwords
(i.e. by installing alternate login programs, sniffing tty, ...)
That's obviously true, but that doesn't cover the case when logs are
copied to a second system with sysadmins that doesn't have access to the
first server. And if someone use the standard 514 syslog port instead of
using an SSL tunnel or the newer syslog-tls on port 601, well you get
cleartext password on the wire (yes, people sometime make stupid mistakes).
Personally, I would prefer never to see password stored in clear text
anywhere, whatever the file permissions are. And If I really want to
still see them, I certainly won't complain if all I have to do is make a
small change to the default configuration file, telling the system that I
know what I am doing.
>>
That doesn't mean Debian should *help* root doing that in a default
install. Security by default, anybody?
I think that everybody agrees that the default behaviour should be the
most secure for most people, unless we have a very good reason to do
otherwise. What some doesn't agree on is what is the most secure behaviour.
I can see a point in logging *valid* usernames. Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.
And you do you figure out if you are under attack?
Many failed connections, usually from the same IP with a few existing
account in the lot, usually completelly unrelated account names (so easy
to differentiate from someone that forgot the exact spelling of his/her
account name).
Realistically, there is very few cases were seeing the non existent
account names is essential to detect an attack, and even when that
happens, I am not sure that you would always realize that you are attacked.
The very few companies that follows well enought their logs to be able
to detect more attacks by allowing logging what is potentially a password
are probably willing to change their configuration anyway.
For most people, writting "unknown account" is a better security practice.
>
When I see that someone is obviously trying "default" system usernames
I know there is an attack going on, if I only see that there have been
10 invalid login requests this could also be the CEO coming back from
his 2 month vacation...
Would he types in 10 times in a row his password instead of his
username? I don't believe It.
If he just try to remember his password, then you will see 10 failed
login attempt to his account before succeding or requesting a new
password. If he tries to remember his username, then It is usually very
easy to differentiate that from a real attack, even without seeing the
username.
Common sense:
>
If you have accidentally typed in your password on the login prompt,
login immediately and change the password!
>
We shouldn't encourage people to continue using possibly compromised
passwords. If they compromise it, they are responsible to change it
immediately or to get the account locked!!
They usually don't even understand that their password is potentially
compromised. And if the password is not put in a log files, and that
nobody saw their screen, they are actually right, which is good.
And even if they know, most will hate to have to learn a new password,
and avoid changing It if they can.
>
This should be in your (computer use) company policy.
A company policy that most people won't follows anyway. Just like
asking people to use different password for each account. And if you
configure the system to prevent them from using similar password for each
account, or one similar to a past password, or if they are forced to
change their password too often (possibly because they sometime put their
password in the user field) then they start writting down the password
somewhere they think nobody will find It, even if It is forbiden by policy.
Policy won't change human nature, sorry.
Simon Valiquette
Reply to: