|
|
| Author |
Message |
| 25 new of 224 responses total. |
keesan
|
|
response 75 of 224:
| 
May 15 23:52 UTC 2003 |
Re 73 (which slipped in) I ran the change program to 'force vt102'.
Maybe the new grex will, like OpenBSD, recognize linux. Not a big problem,
there are other ways of using lynx without arrow keys. (And perhaps the
second set of arrows keys would work, the ones on the 102-key keyboard. )
I may try vt300 and see if that works better.
|
anderyn
|
|
response 76 of 224:
|
May 16 01:19 UTC 2003 |
Hmm. The office computer which I'm using is now using Linux. And it seems
completely transparent to telnet, in terms of any difference from the Unix
we were using before. (Both machines I'm using as terminals are Windows
machines, but the mainframe/window I work in is a Linux-base.)
|
cross
|
|
response 77 of 224:
|
May 16 02:26 UTC 2003 |
This response has been erased.
|
gelinas
|
|
response 78 of 224:
|
May 16 02:31 UTC 2003 |
I *think* password-expiration was set up a *long* time ago, as one of
those general-security things.
Since SSH doesn't work with the current expiration method, I'd recommend
anyone using it resetting their password *again*, after using telnet to
reset it. (This recommendation is probaby unnecessary, since those using
SSH know why they are using it.)
|
keesan
|
|
response 79 of 224:
|
May 16 04:05 UTC 2003 |
R 77 - I realized after I responded that grex will be OpenBSD ;)
Why would the queuing telnet demon mess up two people consistently while the
other two of us never have problems, with identical linuxes? Could it be
something to do with different ISPs? One of the working ISPs is in New
Zealand, mine is in Michigan.
|
gull
|
|
response 80 of 224:
|
May 17 00:08 UTC 2003 |
I've never really understood password expiration. It seems to me it
doesn't help anything unless your password's been discovered, but if
your password's been discovered then the person who knows it can keep it
from expiring.
|
gelinas
|
|
response 81 of 224:
|
May 17 01:42 UTC 2003 |
"Passwords are like underwear: Change them often." In general, it is a very
good idea to change your password every now and again. Password expiration
is how sysadmins enforce a maximum duration for a password.
|
gull
|
|
response 82 of 224:
|
May 17 03:09 UTC 2003 |
That doesn't answer my question, though. What does changing them often
solve? The only point I can see is if you're attempting to change it
often enough that no password is in effect long enough that it can be
brute-forced successfully.
|
jep
|
|
response 83 of 224:
|
May 17 03:27 UTC 2003 |
At work, I presume they want people to change their passwords often so
the passwords are written to post-it notes attached to their computer
monitors. After a few months, the post-it notes fall off, see.
On Grex, when I'm forced to change my password, I do so and then I
run "passwd" again and change it back.
On M-Net, I've had the same password for 12 years. If someone can e-
mail me my M-Net password, I will Paypal to Grex or M-Net (their
choice) a $100 donation.
|
jmsaul
|
|
response 84 of 224:
|
May 17 03:55 UTC 2003 |
Re #80: Not without alerting you, they can't.
Re #81: Hey, that sounds familiar...
|
gelinas
|
|
response 85 of 224:
|
May 17 04:30 UTC 2003 |
It should, Joe. ;)
How are passwords vulnverable? Brute-force guessing and sniffing are
two vulnerabilities that come immediately to mind. Sniffing is seldom
a real-time attack: collect them for a while and then try to use them.
Changing your password at irregular but (relatively) short intervals makes
sniffing less useful. Sure, a year is plenty of time for a sniffing
attack, but it's better than never.
As always, sysadmins are trying to balance security and utility.
Different folks are going to come down at different places on the continuum.
|
rcurl
|
|
response 86 of 224:
|
May 17 04:38 UTC 2003 |
I favor dropping the required password changes.
|
jazz
|
|
response 87 of 224:
|
May 17 05:41 UTC 2003 |
Required password changes, if too frequent, and too unfamilliar to
users, lead to more people writing down their passwords, or reusing them, and
that creates a different kind of vulnerability.
|
cross
|
|
response 88 of 224:
|
May 17 06:56 UTC 2003 |
This response has been erased.
|
jep
|
|
response 89 of 224:
|
May 17 12:23 UTC 2003 |
I don't think I'd agree that passwords are useless. I just think you
have to consider the application for which it's applied.
This is Grex. If someone posts a message under my name, the world
will survive the experience. If they log in as me, and change my
password, and begin posting as me, I'll go through the inconvenience
of looking up a Grex staffer when I have time, prove I'm me if
necessary, and ask them to change my password for me. It'll be okay.
At work, I go through a cycle of however many different passwords are
required. I think you can repeat using them every 5 forced changes,
so that's what I use.
At work, we do a lot on-line, and there are different passwords for a
dozen different things. Naturally, I know about two of mine, and if I
need a password for anything else, I contact someone to reset it.
I guess Microsoft's Passport system is intended as a universal
password system. Log in once, have access to everything. It sounds
flaky but when I think of all the different loginids and passwords I
have, it sounds like a nice idea.
|
jep
|
|
response 90 of 224:
|
May 17 12:23 UTC 2003 |
I agree that Grex should do away with password expiration, by the way.
|
slynne
|
|
response 91 of 224:
|
May 17 13:27 UTC 2003 |
Hehe. I have only two passwords that I use. Whenever a program (like
grex) makes me change my password, I change it to the secondary
password. If it ever asks me to change it back, I change it to the
primary password. I am not too concerned about what might happen if
someone breaks into either my Mnet or Grex account. Sure I might have
some explaining to do if they logged on and started being a jerk. I
like to think that folks would realize it wasnt me but I guess I am
jerk often enough that I couldnt count on that ;)
|
oval
|
|
response 92 of 224:
|
May 17 14:33 UTC 2003 |
can members use gpg, pinepgp?
|
rcurl
|
|
response 93 of 224:
|
May 17 15:12 UTC 2003 |
Has anyone *ever* had their account here compromised by someone unknown to
them guessing their password?
|
jazz
|
|
response 94 of 224:
|
May 17 15:44 UTC 2003 |
Probably not, and while there's no way to measure replacing a known
quantity (SunOS's salt) with an unknwon one (Marcus'), I'd assume that it
would stop the majority of people who are interested in cracking GREX
passwords, that is to say armchair hackers and script kids. If someone is
dedicated enough, the easiest way would certainly be to compromise a user,
not the password list.
|
albaugh
|
|
response 95 of 224:
|
May 17 16:53 UTC 2003 |
For password expiration to be of any real value at all, it has to be combined
with "can't reuse the same last N passwords" *and* "can't change your password
again for N days". Many systems in the workplace implement that policy (along
with minimum password length, content rules (must contain at least 1
non-letter), and must be different from old password by N characters).
All of that is "inconvenient" to the user, but without it, password expiration
is indeed almost useless.
|
cross
|
|
response 96 of 224:
|
May 17 17:21 UTC 2003 |
This response has been erased.
|
drew
|
|
response 97 of 224:
|
May 17 18:35 UTC 2003 |
The only acceptable solution for this is to allow - and strongly
encourage - users to inject a *lot* more entropy into the one password
that they settle upon using. Eight characters??? How about an *eighty*
character password? Or better yet whole paragraphs of indeterminate length.
Let the user make up his own rules about punctuation, spelling, swapping
of characters, use of spaces, forwards, backwards, and anything else so
as to have something he can remember without reducing the entropy.
For myself, I'm now contemplating the use of a multi-kilobyte file of
randomly generated numbers as a password (once I get around to getting
PuTTY set up so that enhanced password security might actually have a
point to it). Just have to provide physical security for the password
file...
Actually, the trick is to have something that the user can commit to
memory completely, but still has lots and lots of entropy *as far as the
outside world is concerned*. This indicates a strong preference for letting
the user decide for himself what his password will be and when (and whether!)
to change it, though strongly encouraging him to be creative with it.
|
cross
|
|
response 98 of 224:
|
May 17 18:48 UTC 2003 |
This response has been erased.
|
keesan
|
|
response 99 of 224:
|
May 17 21:03 UTC 2003 |
We have set up three perpetual beginners with grex email and every year or
so we get a frantic phone call from them telling us that grex does not work
any more so then we change the password and change it back again. They don't
even know their passwords. We have automated the dialin. One time someone
went about 6 months without email until I bumped into his wife and she said
his email broke. So please allow people to reuse old passwords.
|
