[TriLUG] Securely and Accurately transmit passwords

jonc at nc.rr.com jonc at nc.rr.com
Wed Oct 3 21:49:48 EDT 2007 

<Shakes head> Maybe I'm missing something, but these guys seem to be living in their own mental worlds.... Worlds that for some reason don't contain limits on login attempts. 

The maximum number of times I let folks try a password (before locking the account for an hour) is 10 times. Tell me how some cracker is going to use a dictionary attack and crack one of my accounts. Unless he lucks into the password in the first 10 tries, his app is simply going to be spinning its' wheels uselessly for the next 59 minutes and 59 seconds...

Also, most admins I know use the security app Denyhosts.  It was mentioned by someone else earlier in this thread. I have some very strict Denyhost rules for my secure accounts (admin/root accounts). If a hacker is trying to break into a secure account, the python app Denyhosts locks out all the IP's used in his attacks. The hacker would have to harvest the entire net to stand a chance of breaking in, and even then he'll only have a window of opportunity of 10 attempts every hour.

Are there folks out there, that don't set limits on invalid login attempts? Are they windows admins?

Jon (wobble head) Carnes

---- Chris Calloway <cbc at unc.edu> wrote: 
> On Oct 2, 2007, at 12:40 PM, MG wrote:
> > Oddly enough, CBC (Canadian news) ran an article on password  
> > security today:
> >
> > http://www.cbc.ca/news/background/tech/passwords.html
> 
> Read what this well known security expert/pundit has to say on the  
> matter:
> 
> http://www.schneier.com/blog/archives/2005/06/write_down_your.html
> 
> You know, just because you write down a password doesn't mean you  
> have to stick in on a post-it on your workstation. In fact, real  
> world security means your password *is* written down, sealed in an  
> envelope, and put in a safe place "in case you get hit by a bus," I  
> think is the commonly used phrase.
> 
> So yeah, use strong passwords and write them down.
> 
> --
> Sincerely,
> 
> Chris Calloway
> http://www.seacoos.org
> office: 332 Chapman Hall cell: (919) 599-3530
> mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599
> 
> 
> 
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

More information about the TriLUG mailing list