[CentOS] Server Hacked: Cpanel

Thu Aug 10 14:31:37 UTC 2006
Bowie Bailey <Bowie_Bailey at BUC.com>

William L. Maltby wrote:
> On Wed, 2006-08-09 at 17:26 -0400, Bowie Bailey wrote:
> > William L. Maltby wrote:
> 
> > The solution to that is a secure password manager.
> > http://passwordsafe.sourceforge.net/
> > 
> > You just have to remember the one password and the program will track
> > all of the rest for you.  This way you can use gibberish passwords for
> > important sites such as online banking and you don't have to remember
> > them or write them down anywhere.  The password database is encrypted
> > using Twofish and SHA-256.
> 
> I don't care for that concept. One password cracked gives access to all.
> I would rather take the admitted risk of writing them down (in *my*
> scenario, rather secure at home) and referring to that when needed.

True, but if you make that one a good one and use it only for that
purpose, the risks are minimal.

> The ones I use frequently will be remembered. I don't use them on the
> road at all, so that's reasonable. I prefer to not have passwords stored
> on computers any more that necessary.

I don't think it's a problem to have the passwords stored on the
computer.  Just make sure they're securely encrypted.

> No I'll admit I fudge a *small* amount. Those who have access in my home
> know windows only, not Linux and I have no shares with them. They are
> TDU (Typical Dumb Users) and don't know how to use SSH, FTP, ... or even
> how to find my comps on the LAN (now SMB node or Domain Controllers
> here).
> 
> 
> > The only real downside is that if you don't have access to the
> > password manager, you don't have access to anything else either.
> 
> Well, I do consider the one password exposes all a downside. But I also
> grant that it is more secure than many alternatives.

You know what they say:
    "You can put all your eggs in one basket, but WATCH THAT BASKET!"

As long as you are extremely careful with the access password, you
shouldn't have a problem.  I will take this risk for the advantage of
being able to easily use highly secure passwords.  For example, my
online banking password is a sequence of random characters.  I don't
have to remember it or type it.  If I didn't have a tool like this, I
would have to either write it down somewhere or use a less-secure
password that I could remember.

> > Oh...and don't forget backup the password database! :)
> 
> I'm finalizing my LVM-based snapshots with aging of deleted files right
> now, so I will be covered.

That works, but a simple backup copy to a floppy disk or external hard
drive works as well.

> Thanks for the URL. I will go take a look. My mind is not yet
> rusted closed even if (... *when*) I think I'm right! :-)

The creator of this tool is a rather paranoid security expert.  I
figure if he is willing to use it, it's worth a look.

http://schneier.com/
(note that the Password Safe information on that page refers to an
older version that used Blowfish rather than Twofish)

-- 
Bowie