Re: off topic: password strategy as an ISP

To: Richard Morin <richm@mail.on.rogers.wave.ca>
Cc: Debian Users <debian-user@lists.debian.org>
Subject: Re: off topic: password strategy as an ISP
From: John Foster <johnf@mars.nettrek.net.au>
Date: Fri, 4 Jul 1997 07:10:53 +1000 (EST)
Message-id: <[🔎] Pine.LNX.3.95q.970704065832.10530C-100000@mars.nettrek.net.au>
In-reply-to: <[🔎] Pine.LNX.3.96.970703130342.2125A-100000@localhost>

We use the following strategy:

1) Generate a list of passwords with pwgen

2) On a SP2 supercomputer, try to crack them (after feeding them
through crypt).

3) Those who can't be cracked go into a safe, to be allocated when
users sign up.

The company I work for was very badly hacked (rm -fR *), which is how
I got my job (as a repairman!). They are now somewhat paranoid!

Just as a Debian is cool story:

When they lost all their servers they were running Slacware 2
(shudders!). I refused to rebuild the system with Slackware so they
said, "OK, use Redhat". I installed Redhat (2 I think) and managed to
crack it within a week. 

So I put Debian 1.2.4 on (I'd been using Debian in a research
environment for some time), and since then I've seen a few attempts in
the logs, but as far as I know no-one has got in who shouldn't!

I'm not so naive as to believe that Debian is 100% secure (that's
impossible I reckon), but it seems to cope OK for a smallish ISP. I
find some interesting things in the logs, like 500 consecutive
attempts to telnet from the one source, but as we've disabled shell
access for dial-in clients it'll just give them motd if they do get in
that way!

On the subject of pwgen though, there is a definate pattern to the
passwords it generates. This does concern me a bit.

John Foster


> As you can see, this message is very offtopic, but still somewhat Debian
> related.
> 
> I am curious how folks who use Debian in a "production" environment deal
> with allocating passwords.
> 
> Do you use the pwgen package and let users worry about it from there, or
> do you let them choose within the confines of what passwd allows?
> I can see a lot of..."no, you can't have anything that appears in the
> dictionary, no thats too short, you need a capital or a number in it.."
> or..."ok, to change your password you have to telnet in...ok, telnet
> is...then type passwd..."
> 
> It is interesting.  I've had ISP's who use BSD, Slackware Linux, and NT.  
> The BSD ISP gave me a rather cryptic looking password.
> I had my choice with the Slackware ISP. (Debian would not have accepted my
> password...too simple)
> Likewise, the NT ISP, allowed me to choose a rather simple password.
> Even though hard to remember at first, the password I had with BSD was
> likely the most secure.  
> 
> TIA for sharing your strategies.
> 
> Rich M
> richm@rogers.wave.ca
> 
> 
> 
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-user-request@lists.debian.org . 
> Trouble?  e-mail to templin@bucknell.edu .
> 
> 


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: off topic: password strategy as an ISP
  - From: Pavel Galynin <pgalynin@chipnet.cz>

References:
- off topic: password strategy as an ISP
  - From: Richard Morin <richm@mail.on.rogers.wave.ca>

Prev by Date: Re: How can I set up BBS with Debian Linux?
Next by Date: Re: Anyone using Real Audio
Previous by thread: off topic: password strategy as an ISP
Next by thread: Re: off topic: password strategy as an ISP
Index(es):
- Date
- Thread