On Jan 28, 2008 9:19 PM, Michael A. Peters <mpeters at mac.com> wrote: > Frank Cox wrote: > > On Mon, 28 Jan 2008 22:36:03 -0500 > > Jim Perrin <jperrin at gmail.com> wrote: > > > >> And above all, because I know many admins slack on this, and I'm > >> guilty of it as well if it's not forced... ROTATE your passwords > >> periodically > > > > I have never understood this. If I have a good, strong password that nobody > > knows, how is changing it to another one an improvement over what I already > > have? > > > > I agree with you. > > A company I worked for required rotation of passwords and strong > passwords. We fired one of the sysadmins because he had a problem coming > in to work late. > > Take a wild guess at what we found taped to the bottom of his keyboard. > Requiring password rotation increases the occurrences of that issue. > I am sorry but that is a logical fallacy if I have ever seen. I have seen lots of people who come in on time and stay late who have passwords taped to the bottom of their keyboards... and they never had to change their passwords. And I know lots of people who do not do this who have to change their passwords every 90 days. Rotating passwords comes from the following theories: 1) As in cryptography, you must assume that the attacker knows everything you know and probably something more. 2) You do not know where the attacker is. Thus for a networked system or a system with multiple users, you must assume that within a certain amount of time, your hashes have been seen. Then you multiply it by the amount of time it would take to 'crack' that hash with precomputed hash tables and/or multi-system hacks. With the price of a cluster of 10,000 botted computers being pretty low.. you can assume that multi-system hacks are possible. Then you look at the value of your data. From that you can come up with how long before your password needs to be rotated. Using 2-3 factor authentication lowers this risk, and using 1 time passwords also does. However the cost of doing so in training, materials, etc may be more than what you wish to look for. > Rotating passwords IMHO should only be done when their is a possibility > that the shadow file has been compromised or an employee with root > access is dismissed on bad terms. > > A better thing to do is disable remote root login, be extremely careful > with sudo (it should not be allowed to spawn a shell for any user), and > log to a log server rather than local filesystem. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"