Redhat servers rooted

[Alan Jackson]

On Sat, 01 May 2004 15:04:28 -0400
Matthew Carpenter <matt at eisgr.com> wrote:

> Alan Jackson wrote:
> 
> >Surprisingly, they weren't. But I don't think they had tested the 
> >passwords against crack.
> >
> >  
> >
> Having some experience with John, I will tell you this:
>   Unix/Linux passwords are magnitudes more difficult to crack than 
> Windows passwords.  Cracking trivial passwords on Unix/Linux with the 
> salt can take days, while trivial passwords on Windows with no salt can 
> crack as simply as a couple seconds for a dictionary attack.  The 
> difference gets even more immense as non-trivial passwords are used.
> 

My favorite corporate security guy used to take a weekend every few months
to run crack against /etc/passwd in our office. If he cracked your password,
you would get an e-mail to that effect, with some suggestions on how to
change it to pass the test next time.

As a result, I've had the same password for over a decade. Which I think
is a lot more secure than this silly "change them every month" stuff.
Every time I see *that* rule put into effect, people start writing down
their passwords and "hiding" them in their desk drawers, or slipping them
under the keyboard or mouse pad. 

We have one system at work that does the monthly change thing, so most
people have started using the "I forgot my password, give me a new one"
button every time they need to use the system. How stupid is that?

-- 
-----------------------------------------------------------------------
| Alan K. Jackson            | To see a World in a Grain of Sand      |
| alan at ajackson.org          | And a Heaven in a Wild Flower,         |
| www.ajackson.org           | Hold Infinity in the palm of your hand |
| Houston, Texas             | And Eternity in an hour. - Blake       |
-----------------------------------------------------------------------