[CentOS] Server Hacked: Cpanel
Bowie Bailey
Bowie_Bailey at BUC.com
Thu Aug 10 14:31:37 UTC 2006
William L. Maltby wrote:
> On Wed, 2006-08-09 at 17:26 -0400, Bowie Bailey wrote:
> > William L. Maltby wrote:
>
> > The solution to that is a secure password manager.
> > http://passwordsafe.sourceforge.net/
> >
> > You just have to remember the one password and the program will track
> > all of the rest for you. This way you can use gibberish passwords for
> > important sites such as online banking and you don't have to remember
> > them or write them down anywhere. The password database is encrypted
> > using Twofish and SHA-256.
>
> I don't care for that concept. One password cracked gives access to all.
> I would rather take the admitted risk of writing them down (in *my*
> scenario, rather secure at home) and referring to that when needed.
True, but if you make that one a good one and use it only for that
purpose, the risks are minimal.
> The ones I use frequently will be remembered. I don't use them on the
> road at all, so that's reasonable. I prefer to not have passwords stored
> on computers any more that necessary.
I don't think it's a problem to have the passwords stored on the
computer. Just make sure they're securely encrypted.
> No I'll admit I fudge a *small* amount. Those who have access in my home
> know windows only, not Linux and I have no shares with them. They are
> TDU (Typical Dumb Users) and don't know how to use SSH, FTP, ... or even
> how to find my comps on the LAN (now SMB node or Domain Controllers
> here).
>
>
> > The only real downside is that if you don't have access to the
> > password manager, you don't have access to anything else either.
>
> Well, I do consider the one password exposes all a downside. But I also
> grant that it is more secure than many alternatives.
You know what they say:
"You can put all your eggs in one basket, but WATCH THAT BASKET!"
As long as you are extremely careful with the access password, you
shouldn't have a problem. I will take this risk for the advantage of
being able to easily use highly secure passwords. For example, my
online banking password is a sequence of random characters. I don't
have to remember it or type it. If I didn't have a tool like this, I
would have to either write it down somewhere or use a less-secure
password that I could remember.
> > Oh...and don't forget backup the password database! :)
>
> I'm finalizing my LVM-based snapshots with aging of deleted files right
> now, so I will be covered.
That works, but a simple backup copy to a floppy disk or external hard
drive works as well.
> Thanks for the URL. I will go take a look. My mind is not yet
> rusted closed even if (... *when*) I think I'm right! :-)
The creator of this tool is a rather paranoid security expert. I
figure if he is willing to use it, it's worth a look.
http://schneier.com/
(note that the Password Safe information on that page refers to an
older version that used Blowfish rather than Twofish)
--
Bowie
More information about the CentOS
mailing list