|
|
| Author |
Message |
sidhe
|
|
FORCED Password changes
| 
Apr 5 20:09 UTC 1995 |
Ahem. I realize the reason behind "Forced Password Changes" once
a year are good, and intended to protect people. BUT, I personally find it
repulsive! I do change my password occasionally, but being FORCED to, as
a matter of policy is upsetting. What is everyone else's feelings on this?
Were you even aware that you HAVE to change your password once a year,
as dictated by the software, here? <sidhe is severly non-plussed>
|
| 226 responses total. |
danr
|
|
response 1 of 226:
|
Apr 5 20:25 UTC 1995 |
Many systems require even more frequent password changes. Changing your
password regularly just makes sense, and a small price to pay for
better system security.
|
ajax
|
|
response 2 of 226:
|
Apr 5 20:27 UTC 1995 |
Didn't know about it myself. I generally change my password more
frequently than that, but I don't like it either. A reminder, even
a couple stern reminders, sure, but I don't like forced changes.
Some systems allow you to change back to your original password, or
allow it if you change your password a few times one right after the
other, then set it back to the original...does Grex have a workaround
like that?
|
lilmo
|
|
response 3 of 226:
|
Apr 5 21:04 UTC 1995 |
I'd be surprised if it did not...
|
robh
|
|
response 4 of 226:
|
Apr 5 22:06 UTC 1995 |
(A) I knew about it. (B) I don't much like it,
but it's better than being infested by hackers every few days.
|
steve
|
|
response 5 of 226:
|
Apr 5 22:43 UTC 1995 |
In this day of increased abilities to crack password files,
changing passwords often is *vital*. Vital to your own security
on Grex (or any other system), vital to Grex itself.
Think of the trouble you'd be in if someone got your password
and sent a death threat to someone high up in the United Stated
Government. You'll have quite a time getting out of that.
Think about the problems for Grex in general, if someone cracks
a password and starts doing things as someone else, sends mail,
posts something, etc. How does that make Grex look?
Having a "favorite" password is very common. It's also common
to have the same password across different systems, too. These
are *really* bad ideas.
In general, passwords should be changed every couple of months.
More often, if the password is used over a network of any sort.
|
scg
|
|
response 6 of 226:
|
Apr 6 00:54 UTC 1995 |
I change my password far more often than once per year, so I
haven't come up against the passwords expiring, but before people attack
it it wouldhelp to go into the histroy of it. Somebody should correct me
if I'm remembering it worng, but I think it was somewhere a little over a
year ago, right before Grex went on the Net, when somebody cracked a lot
of passwords in Grex's password file, and posted them in an item in Agora.
At that time, staff did two things that were announced publically,
expiring all the passwords then, and making them expire periodically after
that, and going to a shadow password system. Staff probably also did some
things that weren't announced, for security reasons, but I don't know
what those were (and wouldn't say if I did). The requirement was
originally that people would have to change their passwords every few
months, but the one year limit was a compromise after people complained
that the original setup was too often. Given the history, this is not
some sort of faciest system forcing people to change their passwords, but
rather a realization that if we had our password file cracked once, it
could happen again.
For reasons I don't understand, there are some people who find
even changing a password and relearning it even once a year to be too much
trouble. For that matter, there are people who object to having to type a
password to get into their accounts at all. Still, Grex would be getting
a lot more complaints if peoples' accounts were routinely getting cracked
than if people have to change their password once per year. For those who
really want to keep the same password for several years, there is a
workaround. You can change your password twice: once to satisfy the
password changing requirement, and once to satisfy yourself.
|
mdw
|
|
response 7 of 226:
|
Apr 6 02:14 UTC 1995 |
The only significant security thing I can think of that scg didn't
mention is that the password program does a fair amount of password
quality checking, as does newuser. The specific reason is to keep
people from picking words that might appear in a cracker's dictionary -
because that's how they crack accounts. The dictionaries here are a bit
wimpy - just because passwd accepts it doesn't mean it's secure.
Newuser makes virtually the same check. If you *really* want an
insecure password, passwd won't stop you if you're persistant. Newuser
is a bit more fascist: it insists you pick a secure password, at least
to start with. Believe you me, I'm no more fond of having to write and
maintain the code to deal with all of this, than sidhe is to have to
endure it.
This bit about password security isn't just imaginary jumping at
shadows. On practically a weekly basis, we have some stupid new
would-be cracker or another ftp'ing a copy of the grex passwd file -
since it doesn't have any encrypted passwords, that's a complete waste
of network bandwidth. Every so often, we run across smarter vandals who
take advantage of the open access policy and free file storage on grex
to store and share lists of stolen passwords. That happens on at least
a monthly basis. Occasionally, we've had vandals who have been lucky
enough to find a way to break into grex. As soon as we find these, we
act as quickly as we can to figure out what hole they found in the
system, and to plug it, and we don't generally give out any more
specific information than we have to on what we found or fixed, to avoid
giving the vandal any more information than we have to on how we found
them, or how we hope we've stopped them, and also to avoid giving them
any kind of social reward.
When vandals break in, they don't tend to look at private mail. They
usually tend to do these 3 things: (1) find and erase any log file
information they can find, (2) introduce additional holes in the system
to make it easier to break in again, and (3) grab a copy of the shadow
password database so they can find weak accounts on this system. If
they can crack any, they'll probably look to see if they can find that
person elsewhere - on some more secure machine that doesn't run newuser,
where they can repeat this exercise. Indeed, something like between 10%
and 50% of the breakin attempts we have on grex come *from* stolen
accounts on computers elsewhere. There's nothing particularly
mysterious or secret about any of this. Indeed, there's any number of
books out on all this. If you want to find a book - _Secrets of a Super
Hacker_ is a fairly good introduction to cracker culture.
There's also an electronic newsletter -- "phrack".
What that all means is: don't pick a password out of the dictionary.
Don't set it to be the same as one you use on any other system. Don't
keep anything of real monetary value on grex, or any information that
you would consider highly private. It's not likely you'll need to worry
much past that - there's enough stuff on grex's 2 G drive, that the
chances of a cracker actually paying any *real* attention to your
personal files are vanishingly small.
|
popcorn
|
|
response 8 of 226:
|
Apr 6 13:36 UTC 1995 |
By the way, a cracker did download a copy of Grex's password file this
past weekend (the real shadow password file, not /etc/passwd), and he
did crack at least two accounts by decrypting the passwords in it.
It's a *really* good idea to change your password now, if you haven't
done it since the weekend.
|
steve
|
|
response 9 of 226:
|
Apr 6 15:29 UTC 1995 |
Ahem: "it" stole the file. We don't know if this is a male
cyberslime or the female variety. ;-)
|
sidhe
|
|
response 10 of 226:
|
Apr 6 20:08 UTC 1995 |
Ths is all well and good, but I am still with ajax: a reminder,
even a harsh one <or many, if it makes you feel better>, is much
preferrable to being FORCED to change your password. I am certainly
relieved that it is no longer once every few months- as it is, it is
unacceptable enough!
I know about different passwords/different systems, and practice that
religiously. This is part of why I feel the forced change is a very
hostile and draconian endeavour: I already have to keep track of which
system I'm logging into, for password's sake, but now I MUST change it,
period, as opposed to when I'm ready to deal with the rememorization?
Absolutely unaceptable.
|
adbarr
|
|
response 11 of 226:
|
Apr 6 23:21 UTC 1995 |
Changing passwords is a pain. But why do we have passwords at all?
If passwords are accepted as necessary, they must be secure, by
definition. This is an unfortunate, but necessary cost of doint
- correction - doing business in this environment, and I think
it is a small price to pay for the benefit to all that is recieved.
And I still agree it is a big pain. Attitude is everything.
|
janc
|
|
response 12 of 226:
|
Apr 7 00:08 UTC 1995 |
I don't care enough about the security of my Grex account to bother changing
my password. Some other accounts I care a bit more about, but not much.
I suppose the system staff has to act as if these things matter, but I don't
see why they should force users to act that way. An advisory thing would
be better than a mandatory thing.
|
popcorn
|
|
response 13 of 226:
|
Apr 7 04:17 UTC 1995 |
Re 10: But, if you're getting forced to change your password, it means
you haven't changed it in a year. Which means that, left to your own
pace, you don't seem to be getting around to changing it very often.
I agree, a warning message would be nicer than a forced password
change. Though sometimes it seems that the users who complain the most
about having to change their passwords once a year are the same ones
who complain the loudest when their accounts are broken into.
|
steve
|
|
response 14 of 226:
|
Apr 7 13:01 UTC 1995 |
Unforuntely true. We could change the shadow system to not demand
new paswords, ever, but it would take time, and it really should be
done.
Jan, it really *does* matter, even on a small amateur system like
grex; what if an established account is broken into and a death threat
is sent to the President? That is a real problem, no matter if it came
from a "professional" .COM site, Compurserve, or something more odd like
Grex.
Passwords and the stealing thereof do matter a great deal.
|
selena
|
|
response 15 of 226:
|
Apr 7 15:09 UTC 1995 |
Okay it's important BUT I *hate* the forced change idea. Kill it,
and just send reminders. Hell, you could even remind once every month, if
you wanted to, that wouldn't bother me, and it would keep it on my mind.
Isn't there enough crap forced on people, without having to do this? Let
it alone, and just play it so that WE have control over when, and how
often we change our passwords! The importance has been told to us,
repeatedly, above, but I for one don't care enough about it to wanna
be FORCED into it!!
leave well enough alone.
|
gregc
|
|
response 16 of 226:
|
Apr 7 15:56 UTC 1995 |
There are 2 separate issues going on here:
1.) We had a breakin and the thief stole the password file. We are
*suggesting* that people change their passwords to protect themselves.
2.) Above and beyond the current incident, the login system expires all
passwords after they become 1 year old. 30 days before your password
expires, you will begin to see messages of the form: "Your password
expires in XX days. Please change it." when you login.
As for "leave well enough alone", we havn't changed anything. The current
login software has been in place for over a year now. Nothing is new.
Unfortunately, system security, is important, regardless of whether you
care about your account or not. The people who maintain Grex could find
their ass in a sling someday if we didn't maintian a modicum of security.
And frankly, Selena, considering all that you get from this system for free,
I find your constant whining and bitching about "all these terrible
restrictions that are forced on people" to be rather petty and anoying.
Go look up "gaul" in the dictionary.
|
steve
|
|
response 17 of 226:
|
Apr 7 16:29 UTC 1995 |
Forcing a password change once a year was, I believe the minimum
amount of annoyance we could set up given the shadow system we got
and installed here.
Unforunately, the ramafications of an individual being lax in
the maintenance of their passwords goes beyond that one individual.
This is something that I did not see myself, until recently.
|
adbarr
|
|
response 18 of 226:
|
Apr 7 17:48 UTC 1995 |
See Password item in Agora.
|
robh
|
|
response 19 of 226:
|
Apr 7 22:54 UTC 1995 |
Re 16 - Gaul - a region of the Roman Empire corresponding to
modern-day France.
Or did you mean "gall"? >8)
|
jep
|
|
response 20 of 226:
|
Apr 8 02:28 UTC 1995 |
Overcome by the wisdom and foresight of the staff -- who have
eloquently
and thoughtfully used power phrases like "broke root and downloaded the
shadow password file", which affect me much like "stole the contents of
Fort Knox" would affect an analyst for the Treasury Department -- I have
changed my password.
|
steve
|
|
response 21 of 226:
|
Apr 8 02:33 UTC 1995 |
heh
|
lilmo
|
|
response 22 of 226:
|
Apr 8 03:53 UTC 1995 |
Let me restate a couple of points that were made, and seemed to me to be
important and relevant, but were not defended rigorously:
1. Someone breaking into your account is not merely an inconvenience
for you (or worse), but is a problem for Grex, since, if I understand
correctly, it could be the means for a hacker to get into other accts,
and then into these others' accts on OTHER COMPUTERS.
2. Even if this means nothing to you, you can change your password back.
3. If even THIS is unacceptable, well, no one is forcing you to stay here.
(Okay, three points; so sue me *grin* )
|
gregc
|
|
response 23 of 226:
|
Apr 8 05:38 UTC 1995 |
Oh, gag. Yes, I meant "gall".
|
janc
|
|
response 24 of 226:
|
Apr 8 06:37 UTC 1995 |
The prospect of someone breaking into my account and mailing death threats
to the president entirely fails to frighten me. Among the risks I take
every day, like driving cars and eating hamburgers, that one is too silly
to pay any attention to.
|