Default encrypted passwords

Jay Ts jay at toltec.metran.cx
Thu Sep 27 10:04:44 GMT 2001 

> > On Thu, 27 Sep 2001, James Nord wrote:
> > 
> >     "If it uses unencrypted passwords over the network get rid of it and
> > replace it with an encrytped equivellent"
> 
> Removing the plain text passwords from an SMB network only eliminates the
> probability that someone could use those same passwords to attack other
> protocols.

For a Samba network, this is not true, because Unix usernames and
passwords are sent over the net in plaintext.  So a cracker could
use them to attack the Samba host.  One popular method of attacking
Unix systems is to first obtain a non-root user's password, and then
use it to log in and do a brute force crack of the root password.

> ... it is likely that assuming that they have
> enough skill, they can compromise any system on the network.

The key phrase there is "assuming that they have enough skill",
to which I would add, "and enough CPU time".  All computer security,
like any other security, functions by making it inconvenient or
difficult enough to break in that few people do it.

The harder it is to break in, the fewer break-ins there will be.

Or to put it another way, if you leave the front door key for your
house under a rock outside next to the front door, aren't you
asking for trouble?

> A. The skill level needed to exploit this type of security vulnerabilty
>    is reasonably high.  High skill can usually get high paid jobs.
>    In most cases at a company the people with these skills are the ones
>    with a responsibilty to make sure that the systems are secure.

But there are also disgruntled employees, plus teenage crackers who
have found a misconfigured firewall (or no firewall) and are attacking
the LAN from the Internet!

> B. Social Engineering or bribery is a much lower cost method and seems to
>    have higher returns.

Very true, I would think, based on stories I've heard.

> If you can not convince your user community as to why they must follow
> good security practices, and also how to recognize and report social
> engineering attempts, then all technical safeguards are useless.

Also very true, IMO!

- Jay Ts

More information about the samba-technical mailing list