Re: sync root passwords?

To: sean finney <seanius@seanius.net>
Cc: Mike Egglestone <megglestone@heritage.sd57.bc.ca>, debian <debian-user@lists.debian.org>
Subject: Re: sync root passwords?
From: Andrew Perrin <clists@perrin.socsci.unc.edu>
Date: Wed, 4 Dec 2002 19:58:19 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.21.0212041951420.2566-100000@perrin.socsci.unc.edu>
In-reply-to: <[🔎] 20021204175911.A4079@sccs.swarthmore.edu>

No, it's not more insecure; you're assuming the hypothetical hacker knows
that there is an algorithm, and which character(s) are filled in by it.  

Take the canonical, one-password case, and give me a reasonably good
password, say one generated from the phrase "I Procrastinate On Grading
Papers By Debating Debian!":

I!engsygN

(whoever finds the phrase->password algorithm can stay after class to
clean the erasers)

With 100 machines, the hypothetical hacker has all of them if s/he gets
one of them.

Now, make an (unpublicized) decision to replace the I with the capitalized
last two letters of each hostname:

my @hosts='washington jefferson adams franklin';
for (@hosts) {
	my $pass = uc(substr($_, -2, 2)) . '!engsygN';
}

And, of course, delete the generator script when you're done.  Now the
hypothetical hacker finds the root password to one, but remains locked out
of all the others.

Of course this is "worse" than random separate passwords for each machine,
but my view is that with 100 machines the risk is far greater that someone
writes down the passwords and leaves them in a public place.  But it's
hard to see how this is worse than 100 with the same root password.

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists@perrin.socsci.unc.edu * andrew_perrin (at) unc.edu

On Wed, 4 Dec 2002, sean finney wrote:

> On Wed, Dec 04, 2002 at 04:57:27PM -0500, Andrew Perrin wrote:
> > You might want to reconsider the project, frankly - why not make different
> > root passwords for different machines? That would seem to be a more secure
> > alternative. You can make them systematically different to save yourself
> > memorizing them all, by (for example) using the second letter of the
> > hostname as one of the characters of the root password or something along
> > those lines.
> 
> that's way more insecure, as the hypothetical hacker could then know
> (or more easily guess) what one of the characters in the password is!  
> 
> 
> 	sean
>

Reply to:

Follow-Ups:
- Re: sync root passwords?
  - From: Cameron Hutchison <camh+dl@xdna.net>
- Re: sync root passwords?
  - From: Pigeon <jah.pigeon@ukonline.co.uk>

References:
- Re: sync root passwords?
  - From: sean finney <seanius@seanius.net>

Prev by Date: Re: blackdown java
Next by Date: Re: Step by step instructions for "sessions".
Previous by thread: Re: sync root passwords?
Next by thread: Re: sync root passwords?
Index(es):
- Date
- Thread