[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 18:41:27 UTC 2008
Johnny Hughes <johnny at centos.org>

David Thompson wrote:
> "Michael A. Peters" wrote:
>>> I have never understood this.  If I have a good, strong password that nobody
>>> knows, how is changing it to another one an improvement over what I already
>>> have?
>> I agree with you.
> 
> For user accounts, changing one strong password for another gains you nothing, 
> and may cause people to start writing things down, or choosing trivial 
> passwords which still meet the password strength criteria, or whatever, 
> actually weakening security.
> 
> However, if you have admins who come into or leave employment, changing 
> privileged account passwords (read: root or equiv) is a necessary activity.
> 

I disagree with this too, changing one strong password for another gains 
you plenty if someone has compromised the initial one.

The purpose of changing strong passwords is so that if someone has been 
fortunate enough to use some kind of method to get a password, they 
loose access again after the new password change and have to start over 
at the beginning to get back in.

This gains you plenty if someone who is unauthorized losses access.

If you are dealing with regular users, Bill will give Ted a password for 
  one item when Bill goes on vacation since it is much easier than 
getting the IT weenies to change the access that Ted has ... besides he 
only needs to login one time while Bill is on vacation.  However, if 
Bill never has to change his password then Ted has Bill's access forever.

Then of course there is the brute force guessing, etc.

Changing passwords at regular intervals is more secure than keeping the 
same passwords.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/2a135835/attachment-0005.sig>