The managers are discussing password requirements. desire is
to disallow previously used passwords with memory of up to ten
passwords used. Is there a sweet and simple way to implement this in
SLES9/10? I don't see a pam module with this facility.

Tue, 1 Aug 2006 06:57 am, Ashley Gould wrote:
The managers are discussing password requirements.
desire is to disallow previously used passwords
with memory of up to ten passwords used.
Is there a sweet and simple way to implement this in
SLES9/10? I don't see a pam module with this facility.

At work they change passwords every 3 months
with 8 previous passwords remembered.
This guarantees that everyone's password ends in a digit.
Setting more than 9 will ensure 2 digits ;^)

Ashley Gould wrote:
The managers are discussing password requirements. desire is
to disallow previously used passwords with memory of up to ten
passwords used. Is there a sweet and simple way to implement this in
SLES9/10? I don't see a pam module with this facility.

have pointed out the technical methods, but honestly, I would
suggest to you that policy is unwise. Security is as much a human issue
as technical. In my experience, forcing people to keep changing
passwords has one single effect: People will write them down. I would
much prefer for someone to have a password they can remember that never
changes than having passwords written all over postit notes.

Think about what you gain from changing passwords and measure it against
what you lose by having passwords written down all over the place.

The problem is password leakage. If a password falls into the wrong
hands, your security is breached. But what causes passwords to fall
into the wrong hands? What about changing passwords at intervals will
prevent leakage? Not much. Think about it. Nearly all avenues of
password leakage are current, so changing it every month or 3 months is
really irrelevant. As soon as the perp has the password, he's in and the
damage is done. Changing the password next month won't do any good.
Dictionary attacks and whatnot are equally irrelevant to password
changes, they don't take a month to perform, so the chances of you
changing your password in mid-attack are unlikely.

Making your users' lives simpler has a much greater beneficial effect on
security. The more hoops they have to jump through, the greater the
chance that they will simply circumvent the procedure.

Monday 31 July 2006 16:42, suse (AT) rio (DOT) vg wrote:

forcing people to keep changing
passwords has one single effect: People will write them down.

I was hoping someone would point that out.

longer (unchanging) password (more than ten characters) is harder to guess
than a monthly changing short one, which EVERY user changes via an easily
discernable pattern.

John Andersen wrote:
Monday 31 July 2006 16:42, suse (AT) rio (DOT) vg wrote:

>forcing people to keep changing
>passwords has one single effect: People will write them down.

I was hoping someone would point that out.

longer (unchanging) password (more than ten characters) is harder to guess
than a monthly changing short one, which EVERY user changes via an easily
discernable pattern.

Even one step better is the idea of "passphrases" rather than passwords.
It's much easier for someone to remember a simple phrase than
"k4M3.HhZ". If you have, for instance, someone enamored of a certain
Chicago sports team, their passphrase could be "Da'Bears are
Da'Bestest!" If someone has a poor memory for things, have them pick
something that rhymes or a mnemonic.

To be honest, though, I haven't seen a real dictionary attack in many
years. Mostly, it's people knocking on port 22 looking for a
passwordless account. ( ones with the password "password" or "guest")

PGP SIGNED MESSAGE
Hash: SHA1

Am Tuesday 01 August 2006 17:09 schrieb suse (AT) rio (DOT) vg:

Even one step better is the idea of "passphrases" rather than passwords.
It's much easier for someone to remember a simple phrase than
"k4M3.HhZ". If you have, for instance, someone enamored of a certain
Chicago sports team, their passphrase could be "Da'Bears are
Da'Bestest!" If someone has a poor memory for things, have them pick
something that rhymes or a mnemonic.

In principle, that's a good advice, but most people, besides not beeing able
to spell correctly (or even incorrectly), can't remember HW they misspelled
their passphrase. The end is: they write it down.
But using a phrase, or the first letters of all the words in this phrase or
something equally irritating ;), seems to be the better choice (better as to
make them change their pwd every so often)

To be honest, though, I haven't seen a real dictionary attack in many
years. Mostly, it's people knocking on port 22 looking for a
passwordless account. ( ones with the password "password" or "guest")

Here I must contradict you:
about every two to three weeks some machine or other starts dict attacks on
any number of my firewalls. The logs are full of "unknown user" and "wrong
password" lines in rapid succession.

Greetings from Vienna
Wolfgang

PGP SIGNATURE
Version: GnuPG v1.2.4 (GNU/Linux)

JaW4Y3Y/U7ugegZEcoBAU=
=sR6p
PGP SIGNATURE

Wolfgang Leithner wrote:
Am Tuesday 01 August 2006 17:09 schrieb suse (AT) rio (DOT) vg:

In principle, that's a good advice, but most people, besides not beeing able
to spell correctly (or even incorrectly), can't remember HW they misspelled
their passphrase. The end is: they write it down.
But using a phrase, or the first letters of all the words in this phrase or
something equally irritating ;), seems to be the better choice (better as to
make them change their pwd every so often)

Well, just spell the passphrase correctly. What wrong with that? My
Bears example may have been a bit culture-centric to here in the States.
For someone who likes Edgar Allan Poe, you could have "Quoth the Raven,
Nevermore" or someone who liked Moby **** "Call me Ishmael.". for
someone who likes American Idol: "Simon is a real Jerk!" for a
classical musician: "A Flute Player is a Flautist" (which I found out
recently) The key is for the user to come up with it themselves, or at
least tailor it to them. If someone speaks another language, use that.

With a highly variable number of characters, dictionary attacks become
exponentially more difficult, even if you stick to fairly straghtforward
language. Rather than go for numbers, I'll try to include a word that
is rare or at least uncommon, and capitalization that is natural, but
difficult for a computer to guess, and throw in a punctuation somewhere
for good measure.

Here I must contradict you:
about every two to three weeks some machine or other starts dict attacks on
any number of my firewalls. The logs are full of "unknown user" and "wrong
password" lines in rapid succession.

, yes, I get those every day. However, look at them more closely. I
haven't had a single case in several years where the same username was
tried over and over. They'll knock on the ssh port trying a whole bunch
of usernames, but only one or two passwords, and usually no password at all.

suse (AT) rio (DOT) vg wrote:
John Andersen wrote:
>Monday 31 July 2006 16:42, suse (AT) rio (DOT) vg wrote:
>>
forcing people to keep changing
passwords has one single effect: People will write them down.
>I was hoping someone would point that out.
>>
>longer (unchanging) password (more than ten characters) is harder to guess
>than a monthly changing short one, which EVERY user changes via an easily
>discernable pattern.
>>

Even one step better is the idea of "passphrases" rather than passwords.
It's much easier for someone to remember a simple phrase than
"k4M3.HhZ". If you have, for instance, someone enamored of a certain
Chicago sports team, their passphrase could be "Da'Bears are
Da'Bestest!" If someone has a poor memory for things, have them pick
something that rhymes or a mnemonic.

I take this one step further. take a longer phrase and use the first
character of each word. Throw in some type of punctuation. Do the
typical substitutions and you can generate a relatively obscure password:

There are 11 players on a football team and 9 on a baseball team.

Ta11poafta9oabt.

To be honest, though, I haven't seen a real dictionary attack in many
years. Mostly, it's people knocking on port 22 looking for a
passwordless account. ( ones with the password "password" or "guest")

I'd say that's just a very small dictionary they're working from. :)

suse (AT) rio (DOT) vg schrieb:
, yes, I get those every day. However, look at them more closely. I
haven't had a single case in several years where the same username was
tried over and over. They'll knock on the ssh port trying a whole bunch
of usernames, but only one or two passwords, and usually no password at all.

I can confirm this, their dictionaries are normally < 50 words, the most
I've seen lately are about 200 entries from one IP.

Am Dienstag, 1. August 2006 17:09 schrieb suse (AT) rio (DOT) vg:

To be honest, though, I haven't seen a real dictionary attack in many
years. Mostly, it's people knocking on port 22 looking for a
passwordless account. ( ones with the password "password" or
"guest")

which can be easily circumvented by relocating sshd to another port.

Pete

Geoffrey wrote:

I take this one step further. take a longer phrase and use the first
character of each word. Throw in some type of punctuation. Do the
typical substitutions and you can generate a relatively obscure password:

There are 11 players on a football team and 9 on a baseball team.

Ta11poafta9oabt.

It's clever and nifty but users hate it. You see, it means that every
time they type in their password, they have to think about it, and will
frequently make typing errors, increasing frustration as they run
through it constantly wondering if they maybe missed a letter or
mistyped, since they can't see what they're typing. For a tech, it's a
good system, for the average user, they hate it.

This comes back to the initial problem: Security is a human issue. The
more difficult/time consuming/annoying for the user, the better the
chance that it will simply be circumvented.

>To be honest, though, I haven't seen a real dictionary attack in many
>years. Mostly, it's people knocking on port 22 looking for a
>passwordless account. ( ones with the password "password" or "guest")

I'd say that's just a very small dictionary they're working from. :)

Vocabulary isn't their strong point. :)

suse (AT) rio (DOT) vg wrote:
Geoffrey wrote:
>I take this one step further. take a longer phrase and use the first
>character of each word. Throw in some type of punctuation. Do the
>typical substitutions and you can generate a relatively obscure password:
>>
>There are 11 players on a football team and 9 on a baseball team.
>>
>Ta11poafta9oabt.
>>

It's clever and nifty but users hate it. You see, it means that every
time they type in their password, they have to think about it, and will
frequently make typing errors, increasing frustration as they run
through it constantly wondering if they maybe missed a letter or
mistyped, since they can't see what they're typing. For a tech, it's a
good system, for the average user, they hate it.

Then they should get over it. Come on, it's not all that difficult.
If you're going to have a long password, it's best to have a way to
remember. My 15 year old daughter uses this approach and if she can do
it, I'd suggest any adult should. Let's face it, there's not an easy
way of forcing good passwords. Create a policy that works, even if it's
a bit painful. That's certainly better then the sticky note approach,
or the password is their dog's name solution.

This comes back to the initial problem: Security is a human issue. The
more difficult/time consuming/annoying for the user, the better the
chance that it will simply be circumvented.

Agreed, but I don't see the above solution near as difficult as forced
password changes or other solutions proposed. This, I see at least
workable. That is, they'll complain, but they'll get used to it.

To be honest, though, I haven't seen a real dictionary attack in many
years. Mostly, it's people knocking on port 22 looking for a
passwordless account. ( ones with the password "password" or "guest")
>I'd say that's just a very small dictionary they're working from. :)
>>

Vocabulary isn't their strong point. :)

Tuesday 01 August 2006 07:34, Geoffrey wrote:
Do the
typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
What's he talking about?
BTFM.

John Andersen wrote:
Tuesday 01 August 2006 07:34, Geoffrey wrote:
>Do the
>typical substitutions and you can generate a relatively obscure password:
>>
>There are 11 players on a football team and 9 on a baseball team.
>>
>Ta11poafta9oabt.

What's he talking about?

BTFM.

Substitutions as in a number one for the lowercase 'l', a zero for the
lower case 'o', the number 5 for the lowercase 's'. I didn't do any in
the above example because of the numbers that already existed in the phrase.

Point is, it's hard for anyone to remember a long password unless it's
something simple, say, their name. With the above approach anyone can
remember a phrase that makes sense to them. Even if their spelling is
incorrect, if they are consistent, it still works.

8/2/06, Geoffrey <esoteric (AT) 3times25 (DOT) netwrote:
John Andersen wrote:
Tuesday 01 August 2006 07:34, Geoffrey wrote:
>Do the
>typical substitutions and you can generate a relatively obscure password:
>>
>There are 11 players on a football team and 9 on a baseball team.
>>
>Ta11poafta9oabt.
>
What's he talking about?

BTFM.

Substitutions as in a number one for the lowercase 'l', a zero for the
lower case 'o', the number 5 for the lowercase 's'. I didn't do any in
the above example because of the numbers that already existed in the phrase.

Point is, it's hard for anyone to remember a long password unless it's
something simple, say, their name. With the above approach anyone can
remember a phrase that makes sense to them. Even if their spelling is
incorrect, if they are consistent, it still works.

Thomas Jones wrote:

Geoffrey's implementation may not be perfect for every scenario or
environment; however it is a good start. ;)

I agree, it's not perfect, but my 15 year old daughter uses it, because
the security geek in the house says she will. If she can, I have no
doubt any adult in a corporate environment can. They just need the
right incentive.

I would like to say that another huge aspect of the problem is that
non-tech management does not place enough (any?) emphasis on
computer/network security. They're just like everyone else. They want
it secure, but they want it easy and painless. Look, it doesn't happen.
When you get in a car, you have to have your key, put on your
seatbelt, stop at stop signs and so on. We've all adapted to those
issues. We all need to adapt to computer security solutions. That
point is not getting across from the right people.