[CentOS] Re: Unknown rootkit causes compromised servers
Scott Silva
ssilva at sgvwater.com
Tue Jan 29 19:59:15 UTC 2008
on 1/29/2008 10:41 AM Johnny Hughes spake the following:
> David Thompson wrote:
>> "Michael A. Peters" wrote:
>>>> I have never understood this. If I have a good, strong password
>>>> that nobody
>>>> knows, how is changing it to another one an improvement over what I
>>>> already
>>>> have?
>>> I agree with you.
>>
>> For user accounts, changing one strong password for another gains you
>> nothing, and may cause people to start writing things down, or
>> choosing trivial passwords which still meet the password strength
>> criteria, or whatever, actually weakening security.
>>
>> However, if you have admins who come into or leave employment,
>> changing privileged account passwords (read: root or equiv) is a
>> necessary activity.
>>
>
> I disagree with this too, changing one strong password for another gains
> you plenty if someone has compromised the initial one.
>
> The purpose of changing strong passwords is so that if someone has been
> fortunate enough to use some kind of method to get a password, they
> loose access again after the new password change and have to start over
> at the beginning to get back in.
>
> This gains you plenty if someone who is unauthorized losses access.
>
> If you are dealing with regular users, Bill will give Ted a password for
> one item when Bill goes on vacation since it is much easier than
> getting the IT weenies to change the access that Ted has ... besides he
> only needs to login one time while Bill is on vacation. However, if
> Bill never has to change his password then Ted has Bill's access forever.
>
> Then of course there is the brute force guessing, etc.
>
> Changing passwords at regular intervals is more secure than keeping the
> same passwords.
>
If I ever need to give root access to somebody else, I change the password
"before" I give it out, and change it again after. Just in case I got lazy and
used it somewhere else. Sometimes you get busy or just plain forget.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/afaeefc3/attachment.sig>
More information about the CentOS
mailing list