What are the chances of my password being stolen? - Page 2

Evil_Bert · #16 2009-11-08, 02:27 AM CST

Quote:

Originally Posted by Velociraptor

treat passwords as you would underwear-change them often and don't share them around.

You mean I've been getting it wrong all this time? No wonder I keep getting that rash.

stevea · #17 2009-11-08, 01:52 PM CST

Quote:

Originally Posted by Velociraptor

My last offering on this topic is:
1.treat passwords as you would underwear-change them often and don't share them around.
2.Try a MAC address generator - http://software.informer.com/getfree...ator-software/
HTH

I disagree with 1, As a practical matter IF you change passwds often ,and if you use distinct passwds for all of your important account, then you'll end up with an armload of complex passwords and since you won't remember them all you'll write them down, put them in a file, make them all according to some pattern, or some other terrible practice.

You need to change passwds occasionally, and certainly when there is the least hint of foul play. But I think these "change them every month or two" rules only encourage the humans to use bad practices.

I am not impressed with "password gorilla and these sorts of amateur toys. It's better than nothing but just marginally. Most security profiles require that single keys be stored in separate files with both access perms and authentiction blocking access. Gorilla doesn't scrub the dram used. It seems probably that the cleartext passwords are present in dram after access. If you read through what governments and security agencies require ...see nist.gov
==

I don't know what 2. "MAC addr generator" is good for but certainly not security, It's a violation of IEEE & OUI practices to use most MAC (except for the broadcast and private ranges) as these are assigned to vendors who pay for them. No serious problem on a LAN - but it's a genuine bad practice. If you ever screw up you'll have a load of debugging to do. Also there no advantage. Your MAC never propagates beyond your LAN.

Quote:

Originally Posted by Evil_Bert

You mean I've been getting it wrong all this time? No wonder I keep getting that rash.

I thought there was something strange down under

Velociraptor · #18 2009-11-09, 09:37 PM CST

Stevea, forgive me for my newbie ignorance but, i have a couple of concerns about your 2009-11-08,02-04AM post.
1. (Taken from http://www.faqs.org/docs/securing/chap15sec122.html) The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.
2.'only allow keyed login' could not be found on my sshd_config - i am researching this though pls be wary that some of us are not as linux familiar as yourself.
3. I added AllowUsers 'me' and Allowgroups 'mygroup' in the same file.
My MAC address generation password suggestion was for creating good passwords only not for using the addresses themselves.
Thanks for your consideration

tjvanwyk · #19 2009-11-11, 07:40 PM CST

Quote:

Originally Posted by Velociraptor

3. I added AllowUsers 'me' and Allowgroups 'mygroup' in the same file.
My MAC address generation password suggestion was for creating good passwords only not for using the addresses themselves.
Thanks for your consideration

So, wait. You're using a MAC address (randomly generated though it may be) for your passwords?

Using MAC addresses as passwords is not really a good idea. First, it's going to be hard to remember them. Second, the pool of characters is small. Third, the length is relatively short. A MAC address is a 48 bit string of characters using hex encoding. This translates into a 12 character hex string.

Most password authentication schemes these days allow passwords to use the full ascii scheme. If you limit yourself to 15 characters (the pool of allowed characters for MAC addresses), this makes your password pretty weak by definition when compared to the fact that you could be using the whole range of alphanumeric characters PLUS a large set of punctuation characters.

https://www.grc.com/passwords.htm

Velociraptor · #20 2009-11-13, 03:18 AM CST

My goodness, some of you blokes are -too put it mildly- passionate about what you think should be modus operandi for linux users, thankfully we live in a democratic society. Ok, tjvanwyk
first
1, Have you heard of copy and paste? a must for putting in keys for software activation and for passwords.
2.00:A0:C9:14:C8:29 -this is too small????
3.I agree it does translate to 12 character- but, password crackers -johntheripper-would have a hard time cracking something that is not normally associated with data entry.
Ok, i support the use of password with upper/lower case, numbers and symbols. Pity, the uninitiated don't understand the importance until something bad happens.
ooo-roo

tjvanwyk · #21 2009-11-13, 06:25 AM CST

Your comment re: copy and paste is curious. If you're already using copy and paste for password entry then it'd be just as convenient for you to be using, say, 64-character passwords composed of random ASCII.

When it comes to password security, a larger character pool doesn't hurt anything. Seems odd to use a MAC generator when there are dozens of generators out there that will generate ASCII just fine. Using a MAC address generator is great for, uh, MAC addresses but there's no good reason to limit your character pool to 15 characters. Don't know about you, but to me a 12 character (almost) random hex string is probably about as hard to remember as a random 12 character ASCII string.

But thanks for asking me if I'd ever heard of copy and paste. I hadn't, so I googled it. Pretty cool stuff.