hello, John Foster wrote: > > We use the following strategy: > > 1) Generate a list of passwords with pwgen
could you describe this utility? > 2) On a SP2 supercomputer, try to crack them (after feeding them > through crypt). do you use a wordlist and if so, how big? > 3) Those who can't be cracked go into a safe, to be allocated when > users sign up. then, you depend upon a wordlist. if you tested passwords on a small one, crackers may get lucky on one of those 11 mb ones on the coast security archives. as far as i know, all passwords can be cracked using brute force. (at least i had a 100% success) > The company I work for was very badly hacked (rm -fR *), which is how > I got my job (as a repairman!). They are now somewhat paranoid! then they must have been really insecure. only very lame people would ever do that. > Just as a Debian is cool story: > > When they lost all their servers they were running Slacware 2 > (shudders!). I refused to rebuild the system with Slackware so they > said, "OK, use Redhat". I installed Redhat (2 I think) and managed to > crack it within a week. Redhat - the breakin paradise. last week, the whole #hack channel sat on #linux, noted down the ip addies of people who installed it and rooted them. ever saw an inetd.conf on a fresh install of redhat 4.2? just one unpatched version of imapd is sufficient ;) > So I put Debian 1.2.4 on (I'd been using Debian in a research > environment for some time), and since then I've seen a few attempts in > the logs, but as far as I know no-one has got in who shouldn't! it doesn't mean they haven't ;)) > I'm not so naive as to believe that Debian is 100% secure (that's > impossible I reckon), but it seems to cope OK for a smallish ISP. I > find some interesting things in the logs, like 500 consecutive > attempts to telnet from the one source, but as we've disabled shell > access for dial-in clients it'll just give them motd if they do get in > that way! i'm not at all knowledgeable in linux, but chsh changes a default shell of the user in /etc/passwd. (at least on sunOS) > On the subject of pwgen though, there is a definate pattern to the > passwords it generates. This does concern me a bit. yep, that would certainly make it more susceptible to lame newbie attacks. paul -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .