[CentOS] Re: Unknown rootkit causes compromised servers

Tue Jan 29 19:59:15 UTC 2008
Scott Silva <ssilva at sgvwater.com>

on 1/29/2008 10:41 AM Johnny Hughes spake the following:
> David Thompson wrote:
>> "Michael A. Peters" wrote:
>>>> I have never understood this.  If I have a good, strong password 
>>>> that nobody
>>>> knows, how is changing it to another one an improvement over what I 
>>>> already
>>>> have?
>>> I agree with you.
>>
>> For user accounts, changing one strong password for another gains you 
>> nothing, and may cause people to start writing things down, or 
>> choosing trivial passwords which still meet the password strength 
>> criteria, or whatever, actually weakening security.
>>
>> However, if you have admins who come into or leave employment, 
>> changing privileged account passwords (read: root or equiv) is a 
>> necessary activity.
>>
> 
> I disagree with this too, changing one strong password for another gains 
> you plenty if someone has compromised the initial one.
> 
> The purpose of changing strong passwords is so that if someone has been 
> fortunate enough to use some kind of method to get a password, they 
> loose access again after the new password change and have to start over 
> at the beginning to get back in.
> 
> This gains you plenty if someone who is unauthorized losses access.
> 
> If you are dealing with regular users, Bill will give Ted a password for 
>  one item when Bill goes on vacation since it is much easier than 
> getting the IT weenies to change the access that Ted has ... besides he 
> only needs to login one time while Bill is on vacation.  However, if 
> Bill never has to change his password then Ted has Bill's access forever.
> 
> Then of course there is the brute force guessing, etc.
> 
> Changing passwords at regular intervals is more secure than keeping the 
> same passwords.
> 
If I ever need to give root access to somebody else, I change the password 
"before" I give it out, and change it again after. Just in case I got lazy and 
used it somewhere else. Sometimes you get busy or just plain forget.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/afaeefc3/attachment-0005.sig>