|
|
| Author |
Message |
| 25 new of 222 responses total. |
jmsaul
|
|
response 100 of 222:
| 
Jun 6 18:38 UTC 2000 |
Cool! What is it?
(Just kidding. ;-)
|
gull
|
|
response 101 of 222:
|
Jun 6 18:56 UTC 2000 |
Grex's isn't too bad. I've been unable to change the password on my
Michigan Tech account, though, because I can't come up with one that
satisfies *their* password program. Sigh.
|
mcnally
|
|
response 102 of 222:
|
Jun 6 19:09 UTC 2000 |
re #98: That would be quite a trick.. The system shouldn't know what
your old password was..
|
cconroy
|
|
response 103 of 222:
|
Jun 6 19:58 UTC 2000 |
And then there's NT, which won't let you reuse any previous password
(which is understandable to maintain tighter security, but gets really
annoying when the system is configured to make you change passwords
every three months whether you like it or not).
|
rcurl
|
|
response 104 of 222:
|
Jun 6 21:03 UTC 2000 |
Re #102 re #98: it knows it at the time you are trying to change it.
|
ryan
|
|
response 105 of 222:
|
Jun 6 21:30 UTC 2000 |
This response has been erased.
|
scg
|
|
response 106 of 222:
|
Jun 6 22:15 UTC 2000 |
passwd asks first for your old password, to verify that you aren't just some
random person who walked up to an already logged in terminal, and then for
the new password. I assume it does its comparison from what you tell it your
old password was (which it then verifies), rather than by pulling it out of
a database somewhere.
|
drew
|
|
response 107 of 222:
|
Jun 6 22:26 UTC 2000 |
As I recall, passwords are not stored plaintext anywhere on the system.
Rather, a hashing algorithm is used, that's supposed to be one-way. When it
needs to check your password for any reason, whatever program is doing the
checking takes what you type in and calls the hashing routine, and compares
the result to what's in the shadow file (formerly in /etc/passwd). Thus it
can convert 'foobar' to $%H8@feJK&^, but given the string $%H8@feJK&^, there
is no way to derive the plaintext 'foobar'.
I would guess that on today's faster machines, given the list of hashed
passwords, it might be possible to write a program to try every possible
plaintext password starting with the letter ^A until it finds one that
matches; and that's why shadow files were implimented. Or is this feasible?
|
steve
|
|
response 108 of 222:
|
Jun 6 23:38 UTC 2000 |
Drew's explaination of how passwords are stored is right.
As for trying to guess passwords, thats what the "crack" program
does, only it uses dictionaries of words along with some other algorithms,
and for people who choose "bad" passwords, can be *very* effective.
*That* is why Grex;s passwd program is so very picky. I don't
normally like the idea of software being so grumpy about human
behavior, but all too many people choose HORRIBLE passwords if
left to their own devices.
|
bruin
|
|
response 109 of 222:
|
Jun 6 23:45 UTC 2000 |
BTW, as I use Backtalk to access Grex, what would be the procedure for
changing a password?
|
other
|
|
response 110 of 222:
|
Jun 6 23:48 UTC 2000 |
I just sometimes use words from human languages for which no dictionaries
exist. (Transliterated, of course.)
|
mary
|
|
response 111 of 222:
|
Jun 7 00:35 UTC 2000 |
Grex's password program isn't picky. I've had the same one for
the past 8 years. When it prompts for a change I give it one
then immediately run the set password program and change it back
to the one I had. I'm not worried about my password being abused.
I'd bet whomever got ahold of it would be nicer than I am. ;-)
Some people are concerned about such things and it's nice the system
allows them a higher level of security.
|
steve
|
|
response 112 of 222:
|
Jun 7 01:59 UTC 2000 |
Yes Mary but they might do something using your account that would
be *less* than pleasent. A prof in a college to the west of us just
recently had his pw stolen, and guess what? The little vandal sent a
death threat to Al Gore apparently. Said prof had some explaining to
do, etc.
Not changing your pw is 8 years is just plain risky. I hope that
pw is not used on anything that ever has any form of value flowing
through it.
|
mcnally
|
|
response 113 of 222:
|
Jun 7 02:06 UTC 2000 |
as opposed to Grex?
|
steve
|
|
response 114 of 222:
|
Jun 7 02:21 UTC 2000 |
Grex represents its own set of value, but I'm talking of systems
such as anything used in a business where obtaining a pw might result
in a vandal being able to manipulate something like product that a
company has, or something else of direct value in the real world.
Grex doesn't have any of that kind of stuff online, so the most
dangerous thing that could happen is all related to email, which isn't
saying that emails to the wrong people can't land someone in a fair
amount of trouble.
|
cmcgee
|
|
response 115 of 222:
|
Jun 7 02:40 UTC 2000 |
The UM password checker is even snippier than Grex. I finally used my
favorite password with punctuation marks separating some letters. It didn't
like my "first letter of each word in the title of a book, song, etc"
algorithm.
|
twinkie
|
|
response 116 of 222:
|
Jun 7 02:57 UTC 2000 |
re: 103 -- By default, Windows NT *will* let you reuse an old password. You
can set it to never accept a used password, or you can set a threshold, such
that NT will not accept a used password until there have been 10 unused ones.
(Which can easily be defeated by changing your password 10 times in a row)
|
bdh3
|
|
response 117 of 222:
|
Jun 7 03:29 UTC 2000 |
The yuckey mainframes at where I work have a very picky
password program that not only requires 1 non alpha, but don't let you
reuse passwords ever and you have to change it every 90 days and you
can't use the same password on different machines.
In my group we all have thinkpads as we are 'mobile'. As a result
of the 'very secure' password scheme the mainframe gangy uses just
about all if my cadre have a label stuck to our laptops with system
name and password pairs written on them. (I at least keep them in my
palm pilot encrypted under a central password.)
Humans are the weak link in any security system.
|
jmsaul
|
|
response 118 of 222:
|
Jun 7 03:49 UTC 2000 |
Yep, and the pickier the password program is, the weaker a link the humans
become. It's a tradeoff.
|
steve
|
|
response 119 of 222:
|
Jun 7 04:28 UTC 2000 |
I dunno. Grex has trained a lot of people into thinking about passwords
in ways that they didn't, before. I have had many many conversations with
people about the pickyness of our passwd program, and at least some people
who use Grex have an awareness of passowrds that they didn't before. Now,
some people are probably the opposite, and rebell and use the same one
difficult pw over and over, so in that sense, there is a tradeoff in the
general population of people. But I do think that some people here choose
better pw's because of Grex's pickyness, which is a good thing.
|
omni
|
|
response 120 of 222:
|
Jun 7 04:29 UTC 2000 |
If I've learned anything in the last 7 years, I've learned that when
STeve advises you to do something it is in your best interest to heed
his advice.
Just before I got my ham license, I asked STeve about radios. He told
me ICOM was just about the best one on the market. I followed his counsel
and have not been sorry. That was almost 8 years ago.
I changed my password this morning. The new one wull be a pain to learn,
but I will learn it. It is better than a death threat sent to the president
in my name.
Thanks for being vigilant, STeve.
|
omni
|
|
response 121 of 222:
|
Jun 7 04:30 UTC 2000 |
STeve slipped in.
|
senna
|
|
response 122 of 222:
|
Jun 7 04:38 UTC 2000 |
I have a number of rotating passwords, so I shuffled around to satisfy my
desire for security.
|
jmsaul
|
|
response 123 of 222:
|
Jun 7 04:40 UTC 2000 |
Re #119: Programs which require strong passwords do help against people
running crack and the like, there's no doubt. Unfortunately,
they lead to other security problems, like people writing passwords
down on post-it notes stuck to their monitors. Whether it's a
good tradeoff depends on which threat you're more worried about.
In an institutional environment, I'd usually worry more about the
post-it notes. Here, worrying more about script kiddies may be
a good call. In any event, Grex isn't doing the thing that provokes
the worst "weak link" behavior -- timed expiration.
On general principle, though, I'm not so sure you should be
encouraging people to write their passwords down. Even if it
isn't a problem here, it's a bad habit to be in in an office
environment.
|
omni
|
|
response 124 of 222:
|
Jun 7 07:44 UTC 2000 |
If I don't write it down, I'm gonna forget it.
I think I'm gettin' old. My bones is getting creaky and
I'm forgettin things I should remember and rememberin'
things I should have forgot. Oh dear. ;)
I do have a large supply of potential passwords. I'm not
worried about the password program rejecting one of my potentials.
|
