password quality script aka --with-cracklib replacement
John E. Malmberg
wb8tyw at qsl.network
Sat Feb 15 06:07:48 GMT 2003
John H Terpstra wrote:
> On Thu, 13 Feb 2003, John E. Malmberg wrote:
>
>>The storage time needs to be timed based, not number of changes.
>
> Usually, minimum time till change is again permitted as well as ultimate
> password expiry if not changed time 'usually dat or # days based.
I consider that a security hole. A user should be able to change their
password at any time. They do not want to admit that someone may have
seen them enter their password.
>>OpenVMS does not have the security hole where a user is forbidden to
>>change a password for a period of time from the last change, so that a
>>user must notify the system administrator when they think a recently
>>changed password was compromised.
>>
>>Frequent password changes also lead to passwords that are more easily
>>cracked by social engineering methods. Usually if you have learned a
>>past password, a human can figure out all future passwords.
>
> From my site auditing work I could not agree with this generalization. It
> might be the case with < 10% of the people I had exposure to. But then
> this would be moderated if the site has a documented password security
> and change policy.
You are right about over generalizations. It really depends on the
population of users that you are auditing, and if you are running a
crack program, how successfull you are in finding out what the passwords
are. I have had to provide the backup support for a help desk, and one
of the platforms required the help desk operators to log in as the
users. The proper procedure on other platforms would be to temporarily
override the password with a new one, but that was not practical here,
so the users would give their passwords to the help desk operators.
One of the latest trends to try to get people to have a secure password
is to compare so many characters from new password for the last N. That
requires storing several plain text passwords. Not good. But some one
seems to think so.
But I doubt that password guessing is the cause of most security
problems, inspite of all the focus on them. Nor do I think that
industrial spies really spend much time trying to bypass computer
controls. Cheap low tech human engineering works most of the time, and
it is cheaper to bribe a disgruntled employee than to hire a
professional cracker.
And sometimes when you make the security policies too tight, and the
users do not think they need to be, they will bypass them behind your
back in ways that can not be easily detected.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-technical
mailing list