[Samba] Samba 4 and bad lockout attempts

L.P.H. van Belle belle at bazuin.nl
Fri Aug 30 05:42:53 MDT 2013 

Some of these rules are bit stupid, sorry mean.. outdated.
A virus won't crack your password, but captures it with keyloggers.
solution for that is dont install java, dont install acrobat flash and acrobat reader. 
Dont work as Administrator.. with this your 99.999999999999999 safe.  ;-) 

If i look into this. 
>? temporary initial password, to be modified upon first connection,
= Ok
>? password chosen by the user and known only by him/her,
=Ok
>? at least 8 characters,
= if only characters, i suggest at least 12-14.
look here and test some passwords. 
http://www.passwordmeter.com/ 

for example. 
M1j0wnpw  gives strong, 65% score   ( 8 characters ) 
ThisIsMyOwnPassword, also strong, but 76 % score 19 characters. 
ThisIsMyOwnPassword! , very strong 100% score.  20 characters. 
Which one can you remember the best ;-) teach this to your users. ( i do ) 

My own password had 10 characters , is very strong and scores 92% 
and this is my "simple" password. My root passwords are 20+ character, cyfer, letter, symbols Caps/NoCaps. 
look here https://howsecureismypassword.net/ and test some. 
and remember it a guideline and thay talk about 1 desktop pc, think about what a cluster of servers can rehash.

>? renewed at least every three months (90 days),
=OK
>? no reuse of previous passwords (at least the last 10).
Dont care about this because users wil create.. 
Welkom01
Welkom02
Welkom03
Welkom04
etc.. 
so a check on this would be nice also if you want it really secure.


>? suspension after 5 incorrect password entries (automatic or manual 
>unlocking after a certain period)
but ,, , did you try and looked into.. 
net pwsettings show 
and with RATS you can set the windows policies for your passwords also. 


.. there is more info about this online ;-) 

Best regards, 

Louis


>-----Oorspronkelijk bericht-----
>Van: stephane.purnelle at corman.be 
>[mailto:samba-bounces at lists.samba.org] Namens Stéphane PURNELLE
>Verzonden: vrijdag 30 augustus 2013 12:27
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba 4 and bad lockout attempts
>
>Hi,
>
>I have a big problem.
>
>I see that samba 4 don't have bad lockout attempts and if 
>samba don't have 
>this, I cannot deploy samba 4.
>
>This setting is a security setting, it's very important.
>
>A virus attack can be modered by this setting (password crack) 
> and the 
>security bookfor IS from my compagny says : 
>
>11.1.3 User password management
>11.1.3.1  Recommendations  for access  account configuration 
>The recommendations for password configuration are as follows:
>? temporary initial password, to be modified upon first connection,
>? password chosen by the user and known only by him/her,
>? at least 8 characters,
>? renewed at least every three months (90 days),
>? no reuse of previous passwords (at least the last 10).
>
>The recommendations for account configuration are as follows:
>? suspension after 5 incorrect password entries (automatic or manual 
>unlocking after a certain period)
>? rapid unlock procedure that also works at a distance,
>? restriction of connection times during the week for external user 
>accounts (7am-10pm).
>
>With samba4, I cannot respect that. and I must
>
>best regards
>
>        Stéphane 
>
>-----------------------------------
>Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
>Service Informatique       Corman S.A.           Tel : 00 32 
>(0)87/342467
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list